|
|
Line 1: |
Line 1: |
| '''Learning with errors (LWE)''' is a problem in [[machine learning]] that is conjectured to be hard to solve. It is a generalization of the [[parity learning]] problem, introduced<ref name="regev05" /> by [[Oded Regev]] in 2005. Regev showed, furthermore, that the LWE problem is as hard to solve as several worst-case [[lattice problems]]. The LWE problem has recently<ref name="regev05">Oded Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the thirty-seventh annual ACM symposium on Theory of computing (Baltimore, MD, USA: ACM, 2005), 84-93, http://portal.acm.org/citation.cfm?id=1060590.1060603.</ref><ref name="peikert09">Chris Peikert, “Public-key cryptosystems from the worst-case shortest vector problem: extended abstract,” in Proceedings of the 41st annual ACM symposium on Theory of computing (Bethesda, MD, USA: ACM, 2009), 333-342, http://portal.acm.org/citation.cfm?id=1536414.1536461.</ref> been used as a [[Computational hardness assumption|hardness assumption]] to create [[Public-key cryptography|public-key cryptosystems]].
| | Today, there are several other types of web development and blogging software available to design and host your website blogs online and that too in minutes, if not hours. You can either install Word - Press yourself or use free services offered on the web today. This is a service where people write articles using a specific keyword you have given them. s and intelligently including a substantial amount of key words in the title tags, image links, etc. Understanding how Word - Press works can be a challenge, but it is not too difficult when you learn more about it. <br><br>Creating a website from scratch can be such a pain. Infertility can cause a major setback to the couples due to the inability to conceive. Several claim that Wordpress just isn't an preferred tool to utilise when developing a professional site. They provide many such popular products which you can buy for your baby. For a Wordpress website, you don't need a powerful web hosting account to host your site. <br><br>The least difficult and very best way to do this is by acquiring a Word - Press site. Word - Press has different exciting features including a plug-in architecture with a templating system. For a much deeper understanding of simple wordpress themes", check out Upon browsing such, you'll be able to know valuable facts. Thousands of plugins are available in Word - Press plugin's library which makes the task of selecting right set of plugins for your website a very tedious task. " Thus working with a Word - Press powered web application, making any changes in the website design or website content is really easy and self explanatory. <br><br>You can add keywords but it is best to leave this alone. I have compiled a few tips on how you can start a food blog and hopefully the following information and tips can help you to get started on your food blogging creative journey. However, you may not be able to find a theme that is in sync with your business. Contact Infertility Clinic Providing One stop Fertility Solutions at:. The Pakistani culture is in demand of a main surgical treatment. <br><br>Someone with a basic knowledge of setting up a website should be able to complete the process in a couple of minutes however even basic users should find they are able to complete the installation in around 20 minutes by following the step by step guide online. By using Word - Press MLM websites or blogs, an online presence for you and your MLM company can be created swiftly and simply. Word - Press can also be quickly extended however improvement API is not as potent as Joomla's. Word - Press is the most popular personal publishing platform which was launched in 2003. Your topic is going to be the basis of your site's name If you have any kind of questions concerning where and ways to use [http://ps4.vg/backup_plugin_83568 wordpress backup plugin], you could call us at our own web-page. . |
| | |
| An algorithm is said to solve the LWE problem if, when given access to samples <math>(x,y)</math> where <math>x\in \mathbb{Z}_q^n</math> and <math>y \in \mathbb{Z}_q</math>, with the assurance, for some fixed [[linear function]] <math>f:\mathbb{Z}_q^n \rightarrow \mathbb{Z}_q,</math> that <math>y=f(x)</math> with high probability and deviates from it according to some known noise model, the algorithm can recreate <math>f</math> or some close approximation of it with high probability.
| |
| | |
| == Definition ==
| |
| Denote by <math>\mathbb{T}=\mathbb{R}/\mathbb{Z}</math> the additive group on reals modulo one. Denote by <math>A_{\mathbf{s},\phi}</math> the distribution on <math>\mathbb{Z}_q^n \times \mathbb{T}</math> obtained by choosing a vector <math>\mathbf{a}\in \mathbb{Z}_q^n</math> uniformly at random, choosing <math>e</math> according to a probability distribution <math>\phi</math> on <math>\mathbb{T}</math> and outputting <math>(\mathbf{a},\langle \mathbf{a},\mathbf{s} \rangle /q + e)</math> for some fixed vector <math>\mathbf{s} \in \mathbb{Z}_q^n</math> where the division is done in the [[field of reals]], and the addition in <math>\mathbb{T}</math>.
| |
| | |
| The learning with errors problem '''<math>LWE_{q,\phi}</math>''' is to find <math>\mathbf{s} \in \mathbb{Z}_q^n</math>, given access to polynomially many samples of choice from <math>A_{\mathbf{s},\phi}</math>.
| |
| | |
| For every <math>\alpha > 0</math>, denote by <math>D_\alpha</math> the one-dimensional [[Normal distribution|Gaussian]] with density function <math>D_\alpha(x)=\rho_\alpha(x)/\alpha</math> where <math>\rho_\alpha(x)=e^{-\pi(|x|/\alpha)^2}</math>, and let <math>\Psi_\alpha</math> be the distribution on <math>\mathbb{T}</math> obtained by considering <math>D_\alpha</math> modulo one. The version of LWE considered in most of the results would be <math>LWE_{q,\Psi_\alpha}</math>
| |
| | |
| == Decision version ==
| |
| | |
| The '''LWE''' problem described above is the ''search'' version of the problem. In the ''decision'' version ('''DLWE'''), the goal is to distinguish between noisy inner products and uniformly random samples from <math>\mathbb{Z}_q^n \times \mathbb{T}</math> (practically, some discretized version of it). Regev<ref name="regev05" /> showed that the ''decision'' and ''search'' versions are equivalent when <math>q</math> is a prime bounded by some polynomial in <math>n</math>.
| |
| | |
| === Solving decision assuming search ===
| |
| Intuitively, if we have a procedure for the search problem, the decision version can be solved easily: just feed the input samples for the decision problem to the solver for the search problem. Denote the given samples by <math>\{(\mathbf{a_i},\mathbf{b_i})\} \subset \mathbb{Z}^n_q \times \mathbb{T}</math>. If the solver returns a candidate <math>\mathbf{s}</math>, for all <math>i</math>, calculate <math>\{\langle \mathbf{a_i}, \mathbf{s} \rangle - \mathbf{b_i} \} </math>. If the samples are from an LWE distribution, then the results of this calculation will be distributed according <math>\chi</math>, but if the samples are uniformly random, these quantities will be distributed uniformly as well.
| |
| | |
| === Solving search assuming decision ===
| |
| For the other direction, given a solver for the decision problem, the search version can be solved as follows: Recover <math>\mathbf{s}</math> one coordinate at a time. To obtain the first coordinate, <math>\mathbf{s}_1</math>, make a guess <math>k \in Z_q</math>, and do the following. Choose a number <math>r \in \mathbb{Z}_q</math> uniformly at random. Transform the given samples <math>\{(\mathbf{a_i},\mathbf{b_i})\} \subset \mathbb{Z}^n_q \times \mathbb{T}</math> as follows. Calculate <math>\{(\mathbf{a_i}+(r,0,\ldots,0),\mathbf{b_i}+(r k)/q)\}</math>. Send the transformed samples to the decision solver.
| |
| | |
| If the guess <math>k</math> was correct, the transformation takes the distribution <math>A_{\mathbf{s},\chi}</math> to itself, and otherwise, since <math>q</math> is prime, it takes it to the uniform distribution. So, given a polynomial-time solver for the decision problem that errs with very small probability, since <math>q</math> is bounded by some polynomial in <math>n</math>, it only takes polynomial time to guess every possible value for <math>k</math> and use the solver to see which one is correct.
| |
| | |
| After obtaining <math>\mathbf{s}_1</math>, we follow an analogous procedure for each other coordinate <math>\mathbf{s}_j</math>. Namely, we transform our <math>\mathbf{b_i}</math> samples the same way, and transform our <math>\mathbf{a_i}</math> samples by calculating <math>\mathbf{a_i} + (0, \ldots, r, \ldots, 0)</math>, where the <math>r</math> is in the <math>j^{th}</math> coordinate. <ref name="regev05" />
| |
| | |
| Peikert<ref name="peikert09" /> showed that this reduction, with a small modification, works for any <math>q</math> that is a product of distinct, small (polynomial in <math>n</math>) primes. The main idea is if <math>q = q_1 q_2 \cdots q_t</math>, for each <math>q_{\ell}</math>, guess and check to see if <math>\mathbf{s}_j</math> is congruent to <math>0 \mod q_{\ell}</math>, and then use the [[Chinese remainder theorem]] to recover <math>\mathbf{s}_j</math>.
| |
| | |
| === Average case hardness ===
| |
| Regev<ref name="regev05" /> showed the [[Random self-reducibility]] of the '''LWE''' and '''DLWE''' problems for arbitrary <math>q</math> and <math>\chi</math>. Given samples <math>\{(\mathbf{a_i},\mathbf{b_i})\}</math> from <math>A_{\mathbf{s},\chi}</math>, it is easy to see that <math>\{(\mathbf{a_i},\mathbf{b_i}) + (\langle \mathbf{a_i}, \mathbf{t} \rangle)/q\}</math> are samples from <math>A_{\mathbf{s} + \mathbf{t},\chi}</math>.
| |
| | |
| So, suppose there was some set <math>\mathcal{S} \subset \mathbb{Z}_q^n</math> such that <math>|\mathcal{S}|/|\mathbb{Z}_q^n| = 1/poly(n)</math>, and for distributions <math>A_{\mathbf{s'},\chi}</math>, with <math>\mathbf{s'} \leftarrow \mathcal{S}</math>, '''DLWE''' was easy.
| |
| | |
| Then there would be some distinguisher <math>\mathcal{A}</math>, who, given samples <math>\{(\mathbf{a_i},\mathbf{b_i}) \}</math>, could tell whether they were uniformly random or from <math>A_{\mathbf{s'},\chi}</math>. If we need to distinguish uniformly random samples from <math>A_{\mathbf{s},\chi}</math>, where <math>\mathbf{s}</math> is chosen uniformly at random from <math>\mathbb{Z}_q^n</math>, we could simply try different values <math>\mathbf{t} </math> sampled uniformly at random from <math>\mathbb{Z}_q^n</math>, calculate <math>\{(\mathbf{a_i},\mathbf{b_i}) + (\langle \mathbf{a_i}, \mathbf{t} \rangle)/q\}</math> and feed these samples to <math>\mathcal{A}</math>. Since <math>\mathcal{S}</math> comprises a large fraction of <math>\mathbb{Z}_q^n</math>, with high probability, if we choose a polynomial number of values for <math>\mathbf{t}</math>, we will find one such that <math>\mathbf{s} + \mathbf{t} \in \mathcal{S}</math>, and <math>\mathcal{A}</math> will successfully distinguish the samples.
| |
| | |
| Thus, no such <math>\mathcal{S}</math> can exist, meaning '''LWE''' and '''DLWE''' are (up to a polynomial factor) as hard in the average case as they are in the worst case.
| |
| | |
| == Hardness results ==
| |
| === Regev's result ===
| |
| For a n-dimensional lattice <math>L</math>, let ''smoothing parameter'' <math>\eta_\epsilon(L)</math> denote the smallest <math>s</math> such that <math>\rho_{1/s}(L^*\setminus \{\mathbf{0}\}) \leq \epsilon </math> where <math>L^*</math> is the dual of <math>L</math> and <math>\rho_\alpha(x)=e^{-\pi(|x|/\alpha)^2}</math> is extended to sets by summing over function values at each element in the set. Let <math>D_{L,r}</math> denote the discrete Gaussian distribution on <math>L</math> of width <math>r</math> for a lattice <math>L</math> and real <math>r>0</math>. The probability of each <math>x \in L</math> is proportional to <math>\rho_r(x)</math>.
| |
| | |
| The ''discrete Gaussian sampling problem''(DGS) is defined as follows: An instance of <math>DGS_\phi</math> is given by an <math>n</math>-dimensional lattice <math>L</math> and a number <math>r \geq \phi(L)</math>. The goal is to output a sample from <math>D_{L,r}</math>. Regev shows that there is a reduction from <math>GapSVP_{100\sqrt{n}\gamma(n)}</math> to <math>DGS_{\sqrt{n}\gamma(n)/\lambda(L^*)}</math> for any function <math>\gamma(n)</math>.
| |
| | |
| Regev then shows that there exists an efficient quantum algorithm for <math>DGS_{\sqrt{2n}\eta_\epsilon(L)/\alpha}</math> given access to an oracle for <math>LWE_{q,\Psi_\alpha}</math> for integer <math>q</math> and <math>\alpha \in (0,1)</math> such that <math>\alpha q > 2\sqrt{n}</math>. This implies the hardness for <math>LWE</math>. Although the proof of this assertion works for any <math>q</math>, for creating a cryptosystem, the <math>q</math> has to be polynomial in <math>n</math>.
| |
| | |
| === Peikert's result ===
| |
| | |
| Peikert proves<ref name="peikert09" /> that there is a probabilistic polynomial time reduction from the [[Lattice_problems#GapSVP|<math>GapSVP_{\zeta,\gamma}</math>]] problem in the worst case to solving <math>LWE_{q,\Psi_\alpha}</math> using <math>poly(n)</math> samples for parameters <math>\alpha \in (0,1)</math>, <math>\gamma(n)\geq n/(\alpha \sqrt{\log{n}})</math>, <math>\zeta(n) \geq \gamma(n)</math> and <math>q \geq (\zeta/\sqrt{n}) \omega \sqrt{\log{n}})</math>.
| |
| | |
| == Use in Cryptography ==
| |
| | |
| The '''LWE''' problem serves as a versatile problem used in construction of several<ref name="regev05" /><ref name="peikert09" /><ref>Chris Peikert and Brent Waters, “Lossy trapdoor functions and their applications,” in Proceedings of the 40th annual ACM symposium on Theory of computing (Victoria, British Columbia, Canada: ACM, 2008), 187-196, http://portal.acm.org/citation.cfm?id=1374406.</ref><ref> Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th annual ACM symposium on Theory of computing (Victoria, British Columbia, Canada: ACM, 2008), 197-206, http://portal.acm.org/citation.cfm?id=1374407.</ref> cryptosystems. In 2005, Regev<ref name="regev05" /> showed that the decision version of LWE is hard assuming quantum hardness of the [[lattice problems]] <math>GapSVP_\gamma</math> (for <math>\gamma</math> as above) and <math>SIVP_{t}</math> with t=Õ(n/<math>\alpha</math>). In 2009, Peikert<ref name="peikert09" /> proved a similar result assuming only the classical hardness of the related problem [[Lattice_problems#GapSVP|<math>GapSVP_{\zeta,\gamma}</math>]]. The disadvantage of Peikert's result is that it bases itself on a non-standard version of an easier (when compared to SIVP) problem GapSVP.
| |
| | |
| === Public-key cryptosystem ===
| |
| Regev<ref name="regev05" /> proposed a [[public-key cryptosystem]] based on the hardness of the '''LWE''' problem. The cryptosystem as well as the proof of security and correctness are completely classical. The system is characterized by <math>m,q</math> and a probability distribution <math>\chi</math> on <math>\mathbb{T}</math>. The setting of the parameters used in proofs of correctness and security is
| |
| * <math>q \geq 2 </math>, a prime number between <math>n^2</math> and <math>2n^2</math>.
| |
| * <math>m=(1+\epsilon)(n+1) \log{q}</math> for an arbitrary constant <math>\epsilon</math>
| |
| * <math>\chi=\Psi_{\alpha(n)}</math> for <math>\alpha(n) \in o(1/\sqrt{n}\log{n})</math>
| |
| | |
| The cryptosystem is then defined by:
| |
| * ''Private Key'': Private key is an <math>\mathbf{s}\in \mathbb{Z}^n_q</math> chosen uniformly at random.
| |
| * ''Public Key'': Choose <math>m</math> vectors <math>a_1,\ldots,a_m \in \mathbb{Z}^n_q</math> uniformly and independently. Choose error offsets <math>e_1,\ldots,e_m \in \mathbb{T}</math> independently according to <math>\chi</math>. The public key consists of <math>(a_i,b_i=\langle a_i,\mathbf{s} \rangle/q + e_i)^m_{i=1}</math>
| |
| * ''Encryption'': The encryption of a bit <math>x \in \{0,1\}</math> is done by choosing a random subset <math>S</math> of <math>[m]</math> and then defining <math>Enc(x)</math> as <math>(\sum_{i \in S} a_i, x/2 + \sum_{i \in S} b_i)</math>
| |
| * ''Decryption'': The decryption of <math>(a,b)</math> is <math>0</math> if <math>b-\langle a, \mathbf{s} \rangle/q</math> is closer to <math>0</math> than to <math>\frac{1}{2}</math>, and <math>1</math> otherwise.
| |
| | |
| The proof of correctness follows from choice of parameters and some probability analysis. The proof of security is by reduction to the decision version of '''LWE''': an algorithm for distinguishing between encryptions (with above parameters) of <math>0</math> and <math>1</math> can be used to distinguish between <math>A_{s,\chi}</math> and the uniform distribution over <math>\mathbb{Z}^n_q \times \mathbb{Z}_q</math>
| |
| | |
| === CCA-secure cryptosystem ===
| |
| {{Expand section|date=December 2009}}
| |
| Peikert<ref name="peikert09" /> proposed a system that is secure even against any [[chosen-ciphertext attack]].
| |
| | |
| == See also ==
| |
| *[[Lattice-based cryptography]]
| |
| | |
| ==References==
| |
| <references/>
| |
| | |
| [[Category:Machine learning]]
| |
| [[Category:Cryptography]]
| |
Today, there are several other types of web development and blogging software available to design and host your website blogs online and that too in minutes, if not hours. You can either install Word - Press yourself or use free services offered on the web today. This is a service where people write articles using a specific keyword you have given them. s and intelligently including a substantial amount of key words in the title tags, image links, etc. Understanding how Word - Press works can be a challenge, but it is not too difficult when you learn more about it.
Creating a website from scratch can be such a pain. Infertility can cause a major setback to the couples due to the inability to conceive. Several claim that Wordpress just isn't an preferred tool to utilise when developing a professional site. They provide many such popular products which you can buy for your baby. For a Wordpress website, you don't need a powerful web hosting account to host your site.
The least difficult and very best way to do this is by acquiring a Word - Press site. Word - Press has different exciting features including a plug-in architecture with a templating system. For a much deeper understanding of simple wordpress themes", check out Upon browsing such, you'll be able to know valuable facts. Thousands of plugins are available in Word - Press plugin's library which makes the task of selecting right set of plugins for your website a very tedious task. " Thus working with a Word - Press powered web application, making any changes in the website design or website content is really easy and self explanatory.
You can add keywords but it is best to leave this alone. I have compiled a few tips on how you can start a food blog and hopefully the following information and tips can help you to get started on your food blogging creative journey. However, you may not be able to find a theme that is in sync with your business. Contact Infertility Clinic Providing One stop Fertility Solutions at:. The Pakistani culture is in demand of a main surgical treatment.
Someone with a basic knowledge of setting up a website should be able to complete the process in a couple of minutes however even basic users should find they are able to complete the installation in around 20 minutes by following the step by step guide online. By using Word - Press MLM websites or blogs, an online presence for you and your MLM company can be created swiftly and simply. Word - Press can also be quickly extended however improvement API is not as potent as Joomla's. Word - Press is the most popular personal publishing platform which was launched in 2003. Your topic is going to be the basis of your site's name If you have any kind of questions concerning where and ways to use wordpress backup plugin, you could call us at our own web-page. .