Mon, 14 Oct 2024 13:00 A Systematic Study of Sparse LWE by Sagnik Saha (Carnegie Mellon University)

In this work, we introduce the sparse LWE assumption, an assumption that draws inspiration from both Learning with Errors (Regev JACM 10) and Sparse Learning Parity with Noise (Alekhnovich FOCS 02). Exactly like LWE, this assumption posits indistinguishability of ( A, sA+e mod p) from (A, u) for a random u where the secret s, and the error vector e is generated exactly as in LWE. However, the coefficient matrix A in sparse LPN is chosen randomly from Z^{n \times m}_p so that each column has Hamming weight exactly k for some small k. We study the problem in the regime where k is a constant or polylogarithmic. The primary motivation for proposing this assumption is efficiency. Compared to LWE, the samples can be computed and stored with roughly O(n/k) factor improvement in efficiency. Our results can be summarized as:

Foundations: We show several properties of sparse LWE samples, including: 1) The hardness of LWE/LPN with dimension k implies the hardness of sparse LWE/LPN with sparsity k and arbitrary dimension n >= k. 2) When the number of samples m=Omega(n log p), length of the shortest vector of a lattice spanned by rows of a random sparse matrix is large, close to that of a random dense matrix of the same dimension (up to a small constant factor). 3) Trapdoors with small polynomial norm exist for random sparse matrices with m = O(n log p) columns. 4) Efficient algorithms for sampling such matrices together with trapdoors exist when the number of columns, m = Otilde(n^2).

Cryptanalysis: We examine the suite of algorithms that have been used to break LWE and sparse LPN. While naively many of the attacks that apply to LWE do not exploit sparsity, we consider natural extensions that make use of sparsity. We propose a model to capture all these attacks. Using this model we suggest heuristics on how to identify concrete parameters. Our initial cryptanalysis suggests that concretely sparse LWE with a modest k and slightly bigger dimension than LWE will satisfy similar level of security as LWE with similar parameters.

Applications: We show that the hardness of sparse LWE implies very efficient homomorphic encryption schemes for low degree computations. We obtain the first secret key Linearly Homomorphic Encryption (LHE) schemes with slightly super-constant, or even constant, overhead, which further has applications to private information retrieval, private set intersection, etc. We also obtain secret key homomorphic encryption for arbitrary constant-degree polynomials with slightly super-constant, or constant, overhead.

We stress that our results are preliminary. However, our results make a strong case for further investigation of sparse LWE.

Speaker Bio:

I'm a 2nd-year PhD Student at Carnegie Mellon University advised by Prof. Aayush Jain. Before starting my PhD, I used to work as a software engineer at Google. I completed my Bachelors' and Masters' degrees from Massachusetts Institute of Technology in 2018 and 2019 respectively.

Venue: Online