6

Assume we are given a small fixed number of LWE samples with secret $s$ and error $e$, where the error distribution is taken so that the LWE problem is hard.

My question: How can one further generate LWE samples (with the same secret $s$), given the LWE samples.

It was briefly noted in [Reg10] (Sec2. "Other implications") that there exists such a procedure, however I was not able to find an explicit explanation (or in the references they suggested).

[Remark] It wouldn't be surprising that we can further generate LWE samples on our own, since the hardness of the LWE problem does not depend on the number of samples (when the error distribution is Gaussian).

ruparunpa
  • 85
  • 4
  • Do you want the error of the new sample to be totally uncorrelated from the previous one, and coming from the same distribution of error? – Florian Bourse Jun 10 '15 at 12:20
  • Yes, that will be most preferable! However, as long as the new samples are independent of the old samples, the error distribution doesn't necessarily need to be the same. – ruparunpa Jun 10 '15 at 15:32

1 Answers1

7

The basic idea is to take random (Gaussian) integer combinations of the given LWE samples, and add a little "smoothing" noise. This will result in new samples which are statistically close to LWE samples with the same secret, but with a somewhat wider error distribution (by a factor of $\tilde{O}(\sqrt{n})$ for typical parameters). This is essentially Regev's classical BDD-to-LWE reduction on the special family of Ajtai lattices.

More precisely, given LWE samples grouped as $(\mathbf{A} \in \mathbb{Z}_q^{n \times m}, \mathbf{b}^t = \mathbf{s}^t \mathbf{A} + \mathbf{e}^t)$ where $m \approx n \log q$, generate a new sample as $(\mathbf{a}' = \mathbf{A} \cdot \mathbf{r} \in \mathbb{Z}_q^n, b' = \mathbf{b}^t \cdot \mathbf{r} + \tilde{e} \in \mathbb{Z}_q)$, where $\mathbf{r} \in \mathbb{Z}^m$ and $\tilde{e} \in \mathbb{Z}$ have discrete Gaussian distributions of appropriate parameters. One can show that with high probability over the choice of the original $(\mathbf{A}, \mathbf{b})$, the distribution of $\mathbf{a}'$ is nearly uniform. Moreover, conditioned on any fixed choice of $\mathbf{a}'$, the distribution of $\mathbf{e}^t \cdot \mathbf{r} + \tilde{e}$ (which is the "error" term in the output sample) is close to a discrete Gaussian.

This procedure is sketched in Gentry-Peikert-Vaikuntanathan, "Trapdoors for Hard Lattices..." (for the tight security proof of the IBE), and is done more formally in Applebaum-Cash-Peikert-Sahai, "Fast Cryptographic Primitives..." (as the encryption algorithm for the KDM-secure public-key scheme).

Chris Peikert
  • 5,813
  • 1
  • 24
  • 28
  • Correct me if I'm wrong: from a LWE sample of the form $(\mathbf A, \mathbf b^t) \in \mathbb Z_q^{n \times m} \times \mathbb Z_q^m$, you can compute a new sample of the form $(\mathbf a', b') \in \mathbb Z_q^n \times \mathbb Z_q$, right? The dimensions are different, then. Does it have sense to repeat this process $m$ times with the same $\mathbf r$ in order to obtain a single sample of the same original dimensions? – cygnusv Jul 14 '15 at 19:39
  • 1
    The "LWE dimension" here is $n$, and is preserved by the process I described. The original $(\mathbf{A}, \mathbf{b}^t)$ corresponds to $m$ LWE samples (one for each column of $\mathbf{A}$), where the secret has dimension $n$. The above process generates a fresh sample having exactly the same $n$-dimensional secret. We can of course run the method an unbounded number of times to get as many new samples as we want. – Chris Peikert Jul 14 '15 at 22:22