LWE Overview

1. Defintion

LWE distribution
For a secret vector \({\bf s}\in\mathbb{Z}^n_q\),
the LWE distribution \(A_{{\bf s} ,\chi}\) over \(\mathbb{Z}^n_q\times\mathbb{Z}_q\) is sampled by choosing
① \({\bf a}\in\mathbb{Z}^n_q\) uniformly at random，
② \(e\gets\chi\),
outputting \(({\bf a},b=\langle{\bf s,a}\rangle+e\ {\rm mod}\ q)\).

Search-LWE\(_{n,q,\chi,m}\)
Given \(m\) independent samples \(({\bf a}_i,b_i)\in\mathbb{Z}^n_q\times\mathbb{Z}_q\) draw from \(A_{{\bf s} ,\chi}\) for a uniformly random \({\bf s}\in\mathbb{Z}^n_q\)， find \(\bf s\).

Decision-LWE\(_{n,q,\chi,m}\)
Given \(m\) independent samples \(({\bf a}_i,b_i)\in\mathbb{Z}^n_q\times\mathbb{Z}_q\) where every sample is distributed according to either:
① \(A_{{\bf s} ,\chi}\) for a uniformly random \(\bf s\) (fixed for all samples),
②the uniform distribution,
distinguish which is the case (with non-negligible advantage).

2. Parameter for Cryptography Application

3. Hardness

Theorem 1 (LWE\(\leq\)GapSVP)
Let \(q\geq2\) be an integer and \(\alpha\) be a real number in (0, 1).
Assume we are given access to an oracle that solves the LWE problem with modulus \(q\) and error parameter \(\alpha\).
Then, given as input any lattice \(\Lambda\), a large enough polynomial number of samples from the discrete Gaussian distribution \(D_{\Lambda^*,r}\) for some (not too small) \(r\), and a point \(\bf x\) within distance \(\alpha q/(\sqrt{2}p)\) of \(\Lambda\),
we can output the (unique) closest lattice point to \(\bf x\) in polynomial time.

Theroem 2 (Decision \(\leq\) Search)
Let \(n\geq1\) be some integer, \(2\leq q\leq {\rm poly}(n)\) be a prime, and \(\chi\) be some distribution on \(\mathbb{Z}_q\).
Assume we have access to a procedure \(W\) that for all \(\bf s\) accepts with probability exponentially close to 1 on inputs from \(A_{{\bf s},\chi}\) and rejects with probability exponentially close to 1 on inputs from \(\mathcal{U}\).
Then, there exists an efficient algorithm \(W^‘\) that, given samples from\(A_{{\bf s},\chi}\) for some unknown \(\bf s\), outputs \(\bf s\) with probability exponentially close to 1.

Theroem 3 (Average-case \(\leq\) Worst-case)
Let \(n, q\geq1\) be some integers and \(\chi\) be some distribution on \(\mathbb{Z}_q\).
Assume that we have access to a distinguisher \(W\) that distinguishes \(A_{{\bf s},\chi}\) from \(\mathcal{U}\) for a non-negligible fraction of all possible \(\bf s\).
Then there exists an efficient algorithm \(W^‘\) that for all \(\bf s\) accepts with probability exponentially close to 1 on inputs from \(A_{{\bf s},\chi}\) and rejects with probability exponentially close to 1 on inputs from \(\mathcal{U}\).

4. Generalizations and variant of LWE

5. Open Question