文献学习-On Lattices, Learning with Errors,Random Linear Codes, and Cryptography
2017-07-24 19:48
253 查看
On Lattices, Learning with Errors,Random Linear Codes, and Cryptography
格上的LWE、随机线性码和密码学
Oded Regev
Department of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel
a natural extension of the ‘learning from parity with error’ problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe,gives a strong indication that these problems are hard. Our reduction, however,
is quantum. Hence, an efficient solution to the learning problem implies aquantumalgorithm for SVP and SIVP. A main open question is whether this reduction can be made classical.
主要成果:一个从最坏情况下的格问题(如SVP\SIVP)到一类学习性问题的归约。这类学习性问题是learning from parity
with error(从奇偶错误校验中自学习?不好翻,意会就行)到更高模量的一个自然延伸。这也可以被视为线性随机码解码问题。
我们的归约是量子性的。这意味着这类问题的有效解决方法是SVP\SIVP的量子算法。
一个开放性问题是这种归约是否可作为经典。
Using the main result, we obtain a public key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public key cryptosystems such as the one by Ajtaiand Dwork were only based on unique-SVP, a special
case of SVP. The new cryptosystemis much more efficient than previous cryptosystems: the public key is of size O˜(n2) and encrypting a message increases its size byO˜(n) (in previous cryptosystems these values are
O˜(n4) and O˜(n2), respectively). In fact, under the assumption that all parties share a random bit string of lengthO˜(n2), the size of the public key can be reduced toO˜(n).
我们得到一个公钥系统(拥有最坏情况下SVP\SIVP的量子困难性)。
之前的基于格的公钥系统仅依赖 unique-SVP。而新系统显然更加高效:
实际上,所有部分共享长度O(n^2)的随机比特串,公钥的长度可以降低至O(n).
An important open question is to explain the apparent difflculty in finding effcient algorithms for this learning problem. Our main theorem explains this
diffculty for a natural extension of this problem to higher moduli, defined next:
Letp=p(n)<=poly(n)
be some prime integer and consider a list of ‘equations with error’
![](http://img.blog.csdn.net/20170724200038626?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvbGxsdW5pamlh/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
……
这消耗的时间s为
![](http://img.blog.csdn.net/20170724200416264?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvbGxsdW5pamlh/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
(模p的n维整数集),ai,bi也是从该整数集中独立选择的。设方程中的error符合Zp上的概率分布X:Zp->R+,这也说明,对每个方程,对于每个ei属于Zp,i,bi=<s,ai>+ei
符合分布X。我们指出这种方程中的s问题为LWE。我们的主要理论说明对于选择p和分布X,LWE是最坏情况下格的量子问题。
theorem 1.1 (informal) 略
一些观点:
If one flnds an effcient algorithm forLWE, then one also obtains a quantum algorithm for approximating worst-case lattice problems.
如果找到了解决LWE的有效方法,这意味着有了近似的最坏情况下格问题的量子算法。
TheLWEproblem can be equivalently presented as the problem of decoding random linear codes.
LWE问题可以与随机线性编码解码问题等价。
It turns out that certain problems, which are seemingly easier than theLWEproblem, are in fact
equivalent to the LWEproblem.
一些看似比LWE简单的问题实际上与LWE等价。
SVPto withinO
(n^1.5).
improved effciency.
and let d=λ1(L)/n^10
where λ1(L)
is the length of the shortest nonzero vector in L. We are given an oracle that for any point x∈Rn
within distance d ofL
finds the closest lattice vector tox. Ifxis
not within distance d ofL,
the output of the oracle is undefined.
L是格,满足 d=λ1(L)/n^10,λ1(L)是最短非零向量的长度。给定任意属于实数集的点x,和L中到点x最短格向量的距离d,如果x没有属于L的距离d,说明该预言不成立。
(天啦,我也不知道这是啥)
somehow choose a lattice point y∈L
and let x=y+zfor
some perturbation vectorzof length at mostd.
Clearly, on inputxthe oracle outputsy.
But this is useless since we already knowy !This ability to erase the contents of a memory cell in
a reversible way seems useful only in the quantum setting.
选择y,使 x=y+z
,其中z是距离不超过d的震动向量。即使知道y依然无效。
(确切的说,它能改变量子态。)似乎只有在量子中,这种可逆的隐藏存储单元内容的能力非常有效。
*iterative
step1.
use these samples to construct an algorithm that solves CVPL*,αp/r, i.e.
solves the closest vector problem on L*for points that are within distanceαp/rof
the lattice. This algorithm is classical and uses the LWEoracle.
step2. use this algorithm to generate samples fromDL,r'.
This step is quantum (and in fact, the only quantum part of our proof). In the following, we describe each of these steps briefly.
格上的LWE、随机线性码和密码学
Oded Regev
Department of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel
摘要
Our main result is areduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem isa natural extension of the ‘learning from parity with error’ problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe,gives a strong indication that these problems are hard. Our reduction, however,
is quantum. Hence, an efficient solution to the learning problem implies aquantumalgorithm for SVP and SIVP. A main open question is whether this reduction can be made classical.
主要成果:一个从最坏情况下的格问题(如SVP\SIVP)到一类学习性问题的归约。这类学习性问题是learning from parity
with error(从奇偶错误校验中自学习?不好翻,意会就行)到更高模量的一个自然延伸。这也可以被视为线性随机码解码问题。
我们的归约是量子性的。这意味着这类问题的有效解决方法是SVP\SIVP的量子算法。
一个开放性问题是这种归约是否可作为经典。
Using the main result, we obtain a public key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public key cryptosystems such as the one by Ajtaiand Dwork were only based on unique-SVP, a special
case of SVP. The new cryptosystemis much more efficient than previous cryptosystems: the public key is of size O˜(n2) and encrypting a message increases its size byO˜(n) (in previous cryptosystems these values are
O˜(n4) and O˜(n2), respectively). In fact, under the assumption that all parties share a random bit string of lengthO˜(n2), the size of the public key can be reduced toO˜(n).
我们得到一个公钥系统(拥有最坏情况下SVP\SIVP的量子困难性)。
之前的基于格的公钥系统仅依赖 unique-SVP。而新系统显然更加高效:
PK size | increases its size | |
LWE | O(n^2) | O(n) |
previous | O(n^4) | O(n^2) |
引言
Main theorem.
(大段文字,恕不展示,仅做摘要)An important open question is to explain the apparent difflculty in finding effcient algorithms for this learning problem. Our main theorem explains this
diffculty for a natural extension of this problem to higher moduli, defined next:
Letp=p(n)<=poly(n)
be some prime integer and consider a list of ‘equations with error’
……
这消耗的时间s为
(模p的n维整数集),ai,bi也是从该整数集中独立选择的。设方程中的error符合Zp上的概率分布X:Zp->R+,这也说明,对每个方程,对于每个ei属于Zp,i,bi=<s,ai>+ei
符合分布X。我们指出这种方程中的s问题为LWE。我们的主要理论说明对于选择p和分布X,LWE是最坏情况下格的量子问题。
theorem 1.1 (informal) 略
一些观点:
If one flnds an effcient algorithm forLWE, then one also obtains a quantum algorithm for approximating worst-case lattice problems.
如果找到了解决LWE的有效方法,这意味着有了近似的最坏情况下格问题的量子算法。
TheLWEproblem can be equivalently presented as the problem of decoding random linear codes.
LWE问题可以与随机线性编码解码问题等价。
It turns out that certain problems, which are seemingly easier than theLWEproblem, are in fact
equivalent to the LWEproblem.
一些看似比LWE简单的问题实际上与LWE等价。
Cryptosystem.
a public key cryptosystem whose security is based on the worst-cast quantum hardness of approximatingSIVPandSVPto withinO
(n^1.5).
improved effciency.
Why quantum?
LetL be some latticeand let d=λ1(L)/n^10
where λ1(L)
is the length of the shortest nonzero vector in L. We are given an oracle that for any point x∈Rn
within distance d ofL
finds the closest lattice vector tox. Ifxis
not within distance d ofL,
the output of the oracle is undefined.
L是格,满足 d=λ1(L)/n^10,λ1(L)是最短非零向量的长度。给定任意属于实数集的点x,和L中到点x最短格向量的距离d,如果x没有属于L的距离d,说明该预言不成立。
(天啦,我也不知道这是啥)
somehow choose a lattice point y∈L
and let x=y+zfor
some perturbation vectorzof length at mostd.
Clearly, on inputxthe oracle outputsy.
But this is useless since we already knowy !This ability to erase the contents of a memory cell in
a reversible way seems useful only in the quantum setting.
选择y,使 x=y+z
,其中z是距离不超过d的震动向量。即使知道y依然无效。
(确切的说,它能改变量子态。)似乎只有在量子中,这种可逆的隐藏存储单元内容的能力非常有效。
Overview
(大段文字,恕不展示,仅做摘要)*iterative
step1.
use these samples to construct an algorithm that solves CVPL*,αp/r, i.e.
solves the closest vector problem on L*for points that are within distanceαp/rof
the lattice. This algorithm is classical and uses the LWEoracle.
step2. use this algorithm to generate samples fromDL,r'.
This step is quantum (and in fact, the only quantum part of our proof). In the following, we describe each of these steps briefly.
相关文章推荐
- 【deep learning学习笔记】Recommending music on Spotify with deep learning
- Recommending music on Spotify with deep learning 采用深度学习算法为Spotify做基于内容的音乐推荐
- 【deep learning学习笔记】Recommending music on Spotify with deep learning
- 深度学习论文理解2:on random weights and unsupervised feature learning
- Stanford机器学习网络课程---第二讲. 多变量线性回归 Linear Regression with multiple variable
- 随手记:机器学习工程师新手最常犯的六种错误(Top 6 errors novice machine learning engineers make)
- Builds failing with OutOfMemoryErrors(Heap or Permgen space) on Jenkins
- Stanford机器学习---第一讲. Linear Regression with one variable
- hands on machine learning with sklearn and tensorflow 附录B 翻译与整理(1)概要
- 斯坦福机器学习视频笔记 Week2 多元线性回归 Linear Regression with Multiple Variables
- 机器学习系统设计(Building Machine Learning Systems with Python)- Willi Richert Luis Pedro Coelho
- 【图书简评】《Deep Learning with Keras》很好的进阶,工具书,推荐有深度学习理论基础想要学习keras的人阅读。
- 随手记:机器学习工程师新手最常犯的六种错误(Top 6 errors novice machine learning engineers make)
- Learning Data Mining with Python-《Python数据挖掘入门与实践》学习后的分享
- ObjecT:四:On-line multiple instance learning (MIL)学习
- Spark入门到精通视频学习资料--第六章:Machine Learning on Spark(1讲)
- Machine Learning Week 2 Linear Regression with multiple variables in Matlab or Octave
- 【Stanford Machine Learning】Lecture 2--Linear Regression with Multiple Variables
- Machine Learning week 1 quiz: Linear Regression with One Variable
- Stanford机器学习---第一讲. Linear Regression with one variable