Analogy between Learning With Error Problem and Ill-Posed Inverse Problems
Gaurav Mittal

TL;DR
This paper draws an analogy between the Learning With Error problem and ill-posed inverse problems, proposing new encryption schemes and analyzing their security based on this connection.
Contribution
It introduces a novel perspective linking LWE to ill-posed inverse problems and develops new encryption schemes grounded in this analogy.
Findings
LWE is shown to be a structured inverse problem
A symmetric encryption scheme based on ill-posed problems is proposed
A public key encryption scheme combining this symmetric scheme with CRYSTALS-Kyber is introduced
Abstract
In this work, we unveil an analogy between well-known lattice based learning with error problem and ill-posed inverse problems. We show that LWE problem is a structured inverse problem. Further, we propose a symmetric encryption scheme based on ill-posed problems and thoroughly discuss its security. Finally, we propose a public key encryption scheme based on our symmetric encryption scheme and CRYSTALS-Kyber KEM (key encapsulation mechanism) and discuss its security.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Wireless Communication Security Techniques · Security in Wireless Sensor Networks
Analogy between Learning With Error Problem and Ill-Posed Inverse Problems
Abstract.
In this work, we unveil an analogy between well-known lattice based learning with error problem and ill-posed inverse problems. We show that LWE problem is a structured inverse problem. Further, we propose a symmetric encryption scheme based on ill-posed problems and thoroughly discuss its security. Finally, we propose a public key encryption scheme based on our symmetric encryption scheme and CRYSTALS-Kyber KEM (key encapsulation mechanism) and discuss its security.
Gaurav Mittal
Defence Research and Development Organization, Near Metcalfe House, New Delhi, 110054, India
email: [email protected], [email protected]
2010 MSC: Primary: 94A60, 65J22
Keywords: Learning With Error Problem, Cryptography, Inverse Problems
1. Introduction and Analogy
1.1. Learning with Error Problem
The LWE (Learning With Error) problem is a well-known hard problem in cryptography [2]. Having been the subject of intense scrutiny for nearly a decade, the crypto-primitives CRYSTALS Kyber [3] and CRYSTALS Dilithium [4], whose security inherently rely on LWE problem, have been standardized by NIST. The LWE problem was put forward by Regev in his seminal work [6]. Formally, one may define LWE problem as follows:
Definition 1**.**
For a prime , let be an error distribution over the modular ring . For a given (also known as dimension parameter), let be chosen uniformly at random and it is kept as a secret. For , where is some polynomial in , consider the samples
[TABLE]
where is picked uniformly at random. Further, is picked following distribution and typically, this is a short element (in terms of norm). The LWE problem is to derive from the knowledge of .
The LWE problem can also be formulated in terms of matrix form as follows: Given
[TABLE]
we need to find from the knowledge of .
It is well-known that LWE problem is very hard and solving it, on an average, is equivalent to solve certain lattice problems in the worst-case using quantum computers [6]. This makes LWE a very strong candidate for post-quantum cryptography and the worst-case advantage (discussed above) is not associated with any other post-quantum candidates [2]. Further, to explore the roots of computational hardness of LWE problem, we switch into the subject of inverse problems. We refer to [5] for more preliminary details on this subject.
1.2. Well-Posed and Ill-Posed Problems
We consider the operator equations of the form
[TABLE]
where and denote Banach spaces and denotes the domain of . Given , deducing is the direct problem. The corresponding inverse problem is deducing from the value of . As per Hadamard criteria, a problem of the form (1.1) is well-posed if the following three conditions are met.
- (i)
For a given , (1.1) has a solution. 2. (ii)
The solution is unique. 3. (iii)
Continuous dependency must be there, i.e., if is given in place of and it is close to , then the corresponding solutions and should be near to each other (in terms of norm).
Further, if any one of the above three conditions is not satisfied, then the problem (1.1) is ill-posed. It is worth to note that the conditions (i)-(ii) are straight-forward to understand. The condition (iii) is less clear. Before going further, we discuss an example of an ill-posed problem, which is ill-posed since it does not fulfill condition (iii).
Example of an ill-posed Problem.
Let be the space of real-valued Lebesgue integrable functions defined on such that . We consider an operator
[TABLE]
defined as
[TABLE]
This operator is also known as Hilbert-Schmidt operator (HSO). For the integral equation (1.2), the kernel is square-integrable as well as continuous. Therefore, HSO is a compact operator. Further, we know that any compact operator possess a singular value decomposition (see [5]). Consequently, we may write
[TABLE]
where are singular values of satisfying as and are orthonormal systems. For the operator , the inverse operator can be written as
[TABLE]
We assume the availability of perturbed data since exact data is not available in practice. So, we may write
[TABLE]
Here represents the small error. Applying on this using (1.3) to derive that
[TABLE]
Since the operator is compact, we note that
[TABLE]
This and (1.4) derive that
[TABLE]
for any positive constant . Therefore, there is no continuous dependence between the data and the solution. Hence, the operator is ill-posed in the sense of Hadamard due to violation of condition (iii).
1.3. Degree of Ill-posedness
In this subsection, we discuss about the operator equations of the form (1.1) with the additional constraint that is a compact operator between Hilbert spaces. The singular value decomposition (SVD) theorem implies that has singular values
[TABLE]
We note that (1.1) is ill-posed if
[TABLE]
This is also evident from (1.4) as decaying values of leads to instability of . Further, the degree of ill-posedness can be described by looking at rate at which singular value decays. Accordingly, we have the following two categories of ill-posed problems.
- (i)
Mildly ill-posed: If the decay is of the form
[TABLE]
i.e., decays polynomially (or algebraic decay), then (1.1) is mildly ill-posed. 2. (ii)
Severely ill-posed: If the decay is of the form
[TABLE]
i.e., decays exponentially, then (1.1) is severely ill-posed.
We note that faster the rate at which s decay, more the degree of ill-posedness of (1.1).
1.4. Structural Analogy
In this subsection, we discuss the analogy between LWE problem and ill-posed inverse problems. This is discussed in the following Table 1.
We note the following:
- •
Both LWE problem and Inverse problem for HSO demand to invert a linear operator, which is contaminated by noise. As a result, inversion is either unstable or computationally hard.
- •
In inverse problem for HSO, a small noise makes the problem highly ill-posed. In LWE problem, noise plays the role of mask, which makes it computationally infeasible to deduce the secret.
In this manner, we can see that LWE problem is a structured inverse problem. Precisely, LWE problem can be seen as a special case of inverse problems, i.e.,
[TABLE]
In inverse problems, we aim for approximate solution (which is close to exact solution in terms of norm) using regularization techniques whereas for LWE problem, we look for the exact solution. If noise samples in inverse problems are discrete in nature, then LWE problem and inverse problem with matrix operator are same.
2. Symmetric encryption scheme based on Ill-posed problems
In this section, we propose a symmetric encryption scheme based on ill-posed inverse problems. This is defined through the following subsections.
2.1 Parameters and Key Generation:
- •
Let be a compact operator. Let be the inverse of . We remark that both and are known publically.
- •
Let be the error and let it follow certain distribution, e.g., discrete Gaussian distribution or centered binomial distribution. This error is chosen secretly and acts as a secret key. We note that the set containing errors has cardinality atleast .
2.2 Encoding:
- •
Let be the message space containing all bit-strings of length .
- •
Let be an arbitrary message string. Then one may see the space as a subset of using one of the following two mappings.
- •
Map-1: Using Fourier or Haar basis, generate an orthonormal sequence . We enumerate elements in as . Then consider the map
[TABLE]
This map is injective.
- •
Map-2: This map is defined using piecewise constant functions. Consider a string . We define as
[TABLE]
It can be verified that . Accordingly, we define the map
[TABLE]
This map is also injective.
- •
Clearly, , represent the desired encoding of binary messages as elements of .
2.3 Encryption:
- •
Let be the message to be encrypted.
- •
Apply given by (2.1) (or given by (2.2)) on to obtain .
- •
The ciphertext is
[TABLE]
where is the secret key. This error introduces noise in the data.
2.4 Decryption and Decoding:
- •
The decryptor after receiving , uses secret key to obtain
[TABLE]
- •
Apply on the exact data to obtain
[TABLE]
- •
Represent as an element of by using (which exists on its range). This yields the message.
Next, we discuss the security of our encryption scheme along with its certain characteristics.
2.5 Security Analysis:
(a) Brute force attack:
The adversary needs to try all the possible errors from the set of errors to get the message from the knowledge of . This is computationally infeasible to perform in polynomial time.
(b) Error should be ephemeral:
Suppose two messages and are such that same error is taken to encrypt both. Then, (2.3) implies that
[TABLE]
[TABLE]
These two imply that
[TABLE]
If the operator is linear, then this means
[TABLE]
Further, if is also linear, then (2.4) gives the encryption of . Therefore, for every message, error should be chosen uniformly at random.
(c) Probabilistic encryption:
Our scheme comes under the category of probabilistic encryption. Given a fixed message , there can be many ciphertexts corresponding to this message. This is because by changing the error, ciphertext gets changed corresponding to a fixed message.
(d) Security against ciphertext only attack:
The adversary knows and . Using these in (2.3), computes
[TABLE]
But due to ill-posedness of the compact operator equation (or inverse problem), the small error leads to large error in as shown in subsection 1.2. Therefore, it becomes computationally infeasible for to deduce without applying regularization techniques. We remark that the application of regularization techniques further depends on the degree of ill-posedness of the inverse problem as discussed in subsection 1.3.
(e) Security against known/chosen plaintext attacks:
The adversary knows (or demands) polynomially many plaintext-ciphertext pairs (these may be chosen adaptively). The main purpose of is to derive . It follows from (2.3) that
[TABLE]
Since is different and randomly chosen for every message, it becomes computationally infeasible to deduce for a new message.
(f) Security against Differential cryptanalysis:
Since we have shown that our scheme is safe against adaptive chosen plaintext attack, therefore, our scheme is also resistant to Differential cryptanalysis.
(g) CCA2 security (security against adaptive chosen ciphertext attack):
Due to inclusion of unique/random errors at each instance, it would not be possible for to deduce the key/encryption of new message from previous adaptive plaintext-ciphertext queries in polynomial time. Thus, the scheme is CCA2 secure.
Remark 1 (Requirement of a synchronized error generator): For a symmetric encryption scheme, both sender and receiver should have the same secret key. In our case, the secret key is error. Consequently, both the parties should have a synchronized error generator that generates error uniformly at random (or following certain distribution).
3. Public key encryption scheme based on Ill-posed problems
In this section, we build on the work of previous section and propose a public key encryption (PKE) scheme based on ill-posed problems. Specifically, we integrate the symmetric encryption scheme proposed in the previous section with CRYSTALS-Kyber key encapsulation mechanism (KEM) [3]. The PKE is defined as follows (see also Table 2).
3.1 Key Generation:
We run CRYSTALS-Kyber KEM key generation algorithm to generate a public/private key pair. We denote it by pk and sk, respectively.
3.2 Encryption:
Let be the message to be encrypted. We run CRYSTALS-Kyber KEM encaps algorithm to generate a key (of length bits) and the corresponding ciphertext . Further, we instantiate XOF function [1] on to get a key of desired length to be used for symmetric encryption scheme described in section 2. Finally, we encrypt using the encryption function of the scheme to get ciphertext . The final ciphertext is .
3.3 Decryption:
After receiving , the decryptor first run CRYSTALS-Kyber KEM decaps algorithm with input to get the key . Then, the decryptor runs XOF function on to get the key . Finally, using the decryption function of the scheme on ciphertext with key , we get the message .
3.4 Security Analysis:
The security of our PKE clearly depends on the security of Kyber KEM and symmetric encryption scheme . The security of Kyber KEM depends on lattice problem, i.e., module-LWE (module learning with errors), whose hardness is very well understood (see [3]). The security of is already discussed, i.e., it is CCA2 secure. Consequently, it follows from [3] that our PKE is IND-CCA2 secure (indistinguishability under adaptive chosen ciphertext attack), which is the golden security standard.
4. Discussion
We have unveiled a canonical analogy between post-quantum lattice based learning with error problem and ill-posed inverse problems. Precisely, we have shown that LWE problem is a special case of solving inverse problems. Motivated from this fact, we have proposed two encryption schemes. The first one is symmetric and other one is aymmetric (or PKE). We also thoroughly discussed the security of these schemes. In future, this work can be extended in a number of ways. The first one is to look at the impact of regularization techniques on the security of these schemes. The second one is to look at the efficient ways of sampling errors in (2.3).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Federal Information Processing Standards Publication 180-4, SHA-3 standard: Permutation-based hash and Extendable-Output Functions , NIST, 2015, http://dx.doi.org/10.6028/NIST.FIPS.202.
- 2[2] D. Bernstein, J. Buchmann, E. Dahmen, Post-Quantum cryptography, Springer, Berlin, 2009 2009 .
- 3[3] J. Bos, L. Ducas, E. Kiltz et al., CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM, In 2018 IEEE European symposium on security and privacy (pp. 353-367), IEEE, 2018.
- 4[4] L. Ducas, E. Kiltz, T. Lepoint et al., Crystals-dilithium: A lattice-based digital signature scheme , IACR transactions on cryptographic hardware and embedded systems, 238-268, 2018.
- 5[5] H. Engl, M. Hanke, A. Neubauer, Regularization of Inverse Problems , Kluwer Academic Publishers, 2000.
- 6[6] O. Regev, On lattices, learning with errors, random linear codes, and cryptography , Journal of the ACM, 56(6), 1-40, 2009.
- 7[7]
