Bit Security of Learning with Errors for Post-Quantum Cryptography and Fully Homomorphic Encryption
Lead Research Organisation:
Royal Holloway University of London
Department Name: Information Security
Abstract
LWE can be summarised as: given a matrix `A` and a vector `b` modulo `q`, decide if `b` is uniform or if `b = A * s + e` for some small error `e`. Hence, the problem is essentially to solve a noisy linear system of equations modulo `q`. It was shown by Regev that this problem is as hard as assumed-to-be-hard problems. The problem has become a central building block of modern cryptographic constructions.
1. Modern cybersecurity relies on cryptographic algorithms such as RSA encryption and digital signatures as well as the Diffie-Hellman key exchange. It is well-known that the hard mathematical problems underlying these algorithms can be solved efficiently on a quantum computer. While the advent of quantum computers has been promised many times before, recent developments in the area have convinced many actors, especially those with a long-term security mission, to actively seek alternative algorithms which promise post-quantum security. As a result, post-quantum cryptography has recently developed from a niche area of cryptography to a mainstream concern. With the American standards body NIST announcing it would hold a competition for post-quantum proposals, the field is posed to become a central area of cryptographic research in the coming years. LWE is one of the central candidates for a hard problem withstanding attacks using quantum computers and first proposals for key exchange algorithms for Internet communication based on LWE are available.
2. Fully homomorphic encryption, the ability to compute with encrypted data, has progressed considerably since a first solution was proposed in Gentry's seminal work. The most recent generation of such schemes have become efficient enough to the point that first prototype applications, such as privacy-preserving computations with genome data, are being developed. All such constructions rely on the difficulty of solving LWE.
While it is encouraging to have Regev's proof that solving LWE is no easier than solving problems widely believed to be hard as we increase parameters, this does not settle the question of how big we should choose our parameters to provide security against real world attacks. The purpose of this project is to provide more refined answers to this question, allowing us to rely on LWE with more confidence.
1. Modern cybersecurity relies on cryptographic algorithms such as RSA encryption and digital signatures as well as the Diffie-Hellman key exchange. It is well-known that the hard mathematical problems underlying these algorithms can be solved efficiently on a quantum computer. While the advent of quantum computers has been promised many times before, recent developments in the area have convinced many actors, especially those with a long-term security mission, to actively seek alternative algorithms which promise post-quantum security. As a result, post-quantum cryptography has recently developed from a niche area of cryptography to a mainstream concern. With the American standards body NIST announcing it would hold a competition for post-quantum proposals, the field is posed to become a central area of cryptographic research in the coming years. LWE is one of the central candidates for a hard problem withstanding attacks using quantum computers and first proposals for key exchange algorithms for Internet communication based on LWE are available.
2. Fully homomorphic encryption, the ability to compute with encrypted data, has progressed considerably since a first solution was proposed in Gentry's seminal work. The most recent generation of such schemes have become efficient enough to the point that first prototype applications, such as privacy-preserving computations with genome data, are being developed. All such constructions rely on the difficulty of solving LWE.
While it is encouraging to have Regev's proof that solving LWE is no easier than solving problems widely believed to be hard as we increase parameters, this does not settle the question of how big we should choose our parameters to provide security against real world attacks. The purpose of this project is to provide more refined answers to this question, allowing us to rely on LWE with more confidence.
Planned Impact
Cryptography is inherently an applicable subject, and there is a continuous transfer of knowledge and techniques from the more theoretical side of the field to the more applied side. This process can be seen with the Learning with Errors problem itself. Here, the initial theoretical ideas were published in cryptography and theoretical computer science conferences, but then further developed and applied to scenarios where such cryptography enables new functionality such as post-quantum cryptography and fully homomorphic encryption, with research now being published at general cybersecurity conferences. Similarly, first attempts at standardisation are being launched.
This project will aid this development further by increasing our confidence in the security of specific parameter sets for LWE. In particular, it is expected that the results of this project will have a direct impact on standardisation and deployment efforts for lattice-based cryptography currently underway.
Furthermore, due to the strong focus on reliable research software in this project and the utility of lattice-reduction beyond the field of post-quantum cryptography or homomorphic encryption, the research proposed here is also likely to affect other areas of engineering or mathematics relying on such tools.
This project will aid this development further by increasing our confidence in the security of specific parameter sets for LWE. In particular, it is expected that the results of this project will have a direct impact on standardisation and deployment efforts for lattice-based cryptography currently underway.
Furthermore, due to the strong focus on reliable research software in this project and the utility of lattice-reduction beyond the field of post-quantum cryptography or homomorphic encryption, the research proposed here is also likely to affect other areas of engineering or mathematics relying on such tools.
People |
ORCID iD |
| Martin Albrecht (Principal Investigator) |
Publications
Albrecht M
(2019)
Implementing RLWE-based Schemes Using an RSA Co-Processor
in IACR Transactions on Cryptographic Hardware and Embedded Systems
Albrecht M
(2017)
Advances in Cryptology - EUROCRYPT 2017
| Description | The grant is concerned with the "bit-security" of the Learning with Errors problem (LWE). In other words, it seeks to make progress on the question of how many elementary operations are needed to solve a particular set of LWE parameters. Key findings that the cost of solving LWE has been previously overestimated both in general (see uSVP work) and for specific parameter sets (see small secret work). Furthermore, the grant permits the maintenance and development of https://bitbucket.org/malb/lwe-estimator which is used by several submissions to the NIST post-quantum cryptography standardisation process to assess security. |
| Exploitation Route | The results obtained here are widely used, for example by many submissions to the NIST PQC process (cf. https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions) See also https://estimate-all-the-lwe-ntru-schemes.github.io/docs/ |
| Sectors | Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| Description | The results obtained by this grant have been very influential for several standardisation processes, such as the NIST process, ETSI's QSC and a new homomorphic encryption standardisation process. - https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions - https://homomorphicencryption.org/standard/ |
| First Year Of Impact | 2018 |
| Sector | Digital/Communication/Information Technologies (including Software) |
| Impact Types | Societal |
| Description | Foundational technology in Homomorphic Encryption Security Standard |
| Geographic Reach | Multiple continents/international |
| Policy Influence Type | Citation in other policy documents |
| Impact | Homomorphic encryption is a key technology to enable privacy-preserving data processing and our work is routinely relied upon to establish how to pick parameters for such schemes. |
| URL | https://homomorphicencryption.org/standard/ |
| Description | (PROMETHEUS) - PRivacy preserving pOst-quantuM systEms from advanced crypTograpHic mEchanisms Using latticeS |
| Amount | € 5,496,969 (EUR) |
| Funding ID | 780701 |
| Organisation | European Commission |
| Sector | Public |
| Country | European Union (EU) |
| Start | 01/2018 |
| End | 06/2022 |
| Title | FPLLL 5.1 |
| Description | fplll contains implementations of several lattice algorithms. The implementation relies on floating-point orthogonalization, and LLL [LLL82] is central to the code, hence the name. It includes implementations of floating-point LLL reduction algorithms [NS09,MSV09], offering different speed/guarantees ratios. It contains a 'wrapper' choosing the estimated best sequence of variants in order to provide a guaranteed output as fast as possible [S10]. In the case of the wrapper, the succession of variants is oblivious to the user. It includes an implementation of the BKZ reduction algorithm [SE94], including the BKZ-2.0 [CN11] improvements (extreme enumeration pruning, pre-processing of blocks, early termination). Additionally, Slide reduction [GN08] and self dual BKZ [MW16] are supported. It also includes a floating-point implementation of the Kannan-Fincke-Pohst algorithm [K83,FP85] that finds a shortest non-zero lattice vector. For the same task, the GaussSieve algorithm [MV10] is also available in fplll. Finally, it contains a variant of the enumeration algorithm that computes a lattice vector closest to a given vector belonging to the real span of the lattice. |
| Type Of Technology | Software |
| Year Produced | 2017 |
| Open Source License? | Yes |
| Impact | FPLLL is included in SageMath which is used by ten thousands of users. FPLLL is the de-facto public standard implementation for strong lattice reduction. |
| URL | https://github.com/fplll/fplll |
| Title | Lattice Estimator |
| Description | This Sage module provides functions for estimating the concrete security of Learning with Errors instances. The main purpose of this estimator is to give designers an easy way to choose parameters resisting known attacks and to enable cryptanalysts to compare their results and ideas with other techniques known in the literature. |
| Type Of Technology | Software |
| Year Produced | 2021 |
| Open Source License? | Yes |
| Impact | This library (and its predecessor https://bitbucket.org/malb/lwe-estimator/) are routinely relied upon in the literature and by practitioners to assess the security of parameter sets for lattice-based cryptographic schemes. See e.g. https://twitter.com/zama_fhe/status/1474380108748177417 for the perspective of practitioners. |