Welcome to the resource topic for 2024/1589
Title:
A Systematic Study of Sparse LWE
Authors: Aayush Jain, Huijia Lin, Sagnik Saha
Abstract:In this work, we introduce the sparse LWE assumption, an assumption that draws inspiration from both Learning with Errors (Regev JACM 10) and Sparse Learning Parity with Noise (Alekhnovich FOCS 02). Exactly like LWE, this assumption posits indistinguishability of (\mathbf{A}, \mathbf{s}\mathbf{A}+\mathbf{e} \mod p) from (\mathbf{A}, \mathbf{u}) for a random \mathbf{u} where the secret \mathbf{s}, and the error vector \mathbf{e} is generated exactly as in LWE. However, the coefficient matrix \mathbf{A} in sparse LPN is chosen randomly from \mathbb{Z}^{n\times m}_{p} so that each column has Hamming weight exactly k for some small k. We study the problem in the regime where k is a constant or polylogarithmic. The primary motivation for proposing this assumption is efficiency. Compared to LWE, the samples can be computed and stored with roughly O(n/k) factor improvement in efficiency. Our results can be summarized as:
Foundations:
We show several properties of sparse LWE samples, including: 1) The hardness of LWE/LPN with dimension k implies the hardness of sparse LWE/LPN with sparsity k and arbitrary dimension n \ge k. 2) When the number of samples m=\Omega(n \log p), length of the shortest vector of a lattice spanned by rows of a random sparse matrix is large, close to that of a random dense matrix of the same dimension (up to a small constant factor). 3) Trapdoors with small polynomial norm exist for random sparse matrices with dimension n \times m = O(n \log p). 4) Efficient algorithms for sampling such matrices together with trapdoors exist when the dimension is n \times m = \widetilde{\mathcal{O}}(n^2).
Cryptanalysis:
We examine the suite of algorithms that have been used to break LWE and sparse LPN. While naively many of the attacks that apply to LWE do not exploit sparsity, we consider natural extensions that make use of sparsity. We propose a model to capture all these attacks. Using this model we suggest heuristics on how to identify concrete parameters. Our initial cryptanalysis suggests that concretely sparse LWE with a modest k and slightly bigger dimension than LWE will satisfy similar level of security as LWE with similar parameters.
Applications:
We show that the hardness of sparse LWE implies very efficient homomorphic encryption schemes for low degree computations. We obtain the first secret key Linearly Homomorphic Encryption (LHE) schemes with slightly super-constant, or even constant, overhead, which further has applications to private information retrieval, private set intersection, etc. We also obtain secret key homomorphic encryption for arbitrary constant-degree polynomials with slightly super-constant, or constant, overhead.
We stress that our results are preliminary. However, our results make a strong case for further investigation of sparse LWE.
ePrint: https://eprint.iacr.org/2024/1589
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .