Learning With Errors (LWE) is a quantum robust method of cryptography. Initially we create a secret value (\(s\)) and which is our private key. We then create a public key which is based on random numbers (\(A\)), and then generate another set of numbers (\(B\)) which is based on \(A\),\(s\) and random errors \(e\). In this case we will show how a 4-bit value can be encrypted. In this case we will convert an integer to a 4-bit value, and then cipher each of the bits. This is achieved by generating a public key, and then sampling the public key for each of the bits. In this case we will take two values and then do a bitwise ADD operation. If the values are the same, we should get a deciphered value of 0000.
Homomorphic Encryption with Learning With Errors (LWE) |
Outline
This is a method defined by Oded Regev in 2005 [here] and is known as LWE (Learning With Errors). First we select a random series of values for our public key (\(A\)). For example, let's select 20 random values from 0 to 100:
[80, 86, 19, 62, 2, 83, 25, 47, 20, 58, 45, 15, 30, 68, 4, 13, 8, 6, 42, 92]
Next we add create a list (\(B\)) and were the elements are \(B_i = A_i s + e_i \pmod q\), and where \(s\) is a secret value, and \(e\) is a list of small random values (the error values). If we take a prime number (\(q\)) of 97, and an error array (\(e\)) of:
[3, 3, 4, 1, 3, 3, 4, 4, 1, 4, 3, 3, 2, 2, 3, 2, 4, 4, 1, 3]
we generate a list (\(B\)) of:
[15, 45, 2, 20, 13, 30, 32, 45, 4, 3, 34, 78, 55, 51, 23, 67, 44, 34, 17, 75]
The \(A\) and \(B\) list will be our public key, and \(s\) will be our secret key. We can now distribute \(A\) and \(B\) to anyone who wants to encrypt a message for us (but keep \(s\) secret). To encrypt we take samples from the A and B lists, and take a message bit (M), and then calculate two values:
\(u = \sum(A_{samples}) \pmod q \)
\(v = \sum(B_{samples})+\frac{q}{2} M \pmod q \)
The encrypted message is (\(u,v\)). To decrypt, we calculate:
\( Dec = v - s u \pmod q\)
If \(Dec\) is less than \(\frac{q}{2}\), the message is a zero, else it is a 1.
For homomophic encryption, we can perform a single-bit adder function by generating (u,v) for each of the bits and then performing (for the two values for \(bit_0\) - \(v1_0, u1_0, v2_0\) and \(u2_0\):
\( Bit = (v1_0 - s u1_0) + (v2_0 - s u2_0) \pmod q\)
With multiple bits, we basically take our value and then convert into bits. Next we cipher each bit by taking a random sample from the public key.
A sample run with a value of 4 is:
------Parameters and keys------- Value to cipher: 2 4 Public Key (A): [30, 44, 45, 66, 35, 55, 59, 92, 40, 60, 36, 94, 91, 12, 24, 11, 67, 78, 10, 6] Public Key (B): [55, 27, 34, 40, 80, 83, 5, 74, 9, 10, 85, 84, 70, 62, 24, 58, 46, 4, 51, 32] Errors (e): [2, 1, 3, 1, 2, 2, 1, 2, 3, 1, 2, 2, 3, 2, 1, 3, 2, 2, 1, 2] Secret key: 5 Prime number: 97 ------Sampling Process from public key------- Bits to be ciphered: [0, 1, 0, 0, 0, 0, 0, 0] [0, 0, 1, 0, 0, 0, 0, 0] [0, 7, 3, 9, 14] [18, 6, 14, 17, 2] [18, 17, 15, 9, 16] [6, 15, 18, 10, 17] [0, 8, 18, 5, 1] [17, 10, 3, 7, 8] [8, 1, 17, 14, 10] [1, 2, 17, 12, 8] ------Results ----------------- Result bit0 is 0 Result bit1 is 1 Result bit2 is 1 Result bit3 is 0
Coding
The following is an outline:
import sys import numpy as np import random import math nvals=20 B=[] e=[] s = 20 M1 = 2 M2 = 5 q=97 def get_uv(A,B,M,q): u=0 v=0 sample= random.sample(range(nvals-1), nvals//4) print(sample) for x in range(0,len(sample)): # print "[",A[sample[x]],B[sample[x]],"]", u=u+(A[sample[x]]) v= v+B[sample[x]] v=v+math.floor(q/2)*M return u%q,v%q def get_result(u1,v1,u2,v2,q): res=((v1-s*u1) + (v2-s*u2)) % q if (res>q//2): return 1 return 0 def tobits(val): l = [0]*(8) l[0]=val & 0x1 l[1]=(val & 0x2)>>1 l[2]=(val & 0x4)>>2 l[3]=(val & 0x8)>>3 return l if (len(sys.argv)>1): M1=int(sys.argv[1]) if (len(sys.argv)>2): M2=int(sys.argv[2]) if (len(sys.argv)>3): s=int(sys.argv[3]) if (len(sys.argv)>4): q=int(sys.argv[4]) A = random.sample(range(q), nvals) for x in range(0,len(A)): e.append(random.randint(1,3)) B.append((A[x]*s+e[x])%q) print("\n------Parameters and keys-------") print("Value to cipher:\t",M1,M2) print("Public Key (A):\t",A) print("Public Key (B):\t",B) print("Errors (e):\t\t",e) print("Secret key:\t\t",s) print("Prime number:\t\t",q) print("\n------Sampling Process from public key-------") bits1 = tobits(M1) bits2 = tobits(M2) print("Bits to be ciphered:",bits1,bits2) u1_1,v1_1=get_uv(A,B,bits1[0],q) u2_1,v2_1=get_uv(A,B,bits1[1],q) u3_1,v3_1=get_uv(A,B,bits1[2],q) u4_1,v4_1=get_uv(A,B,bits1[3],q) u1_2,v1_2=get_uv(A,B,bits2[0],q) u2_2,v2_2=get_uv(A,B,bits2[1],q) u3_2,v3_2=get_uv(A,B,bits2[2],q) u4_2,v4_2=get_uv(A,B,bits2[3],q) print("\n------Results -----------------") print("Result bit0 is",get_result(u1_1,v1_1,u1_2,v1_2,q)) print("Result bit1 is",get_result(u2_1,v2_1,u2_2,v2_2,q)) print("Result bit2 is",get_result(u3_1,v3_1,u3_2,v3_2,q)) print("Result bit3 is",get_result(u4_1,v4_1,u4_2,v4_2,q))
A fun article on this is [here]