On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien - PowerPoint PPT Presentation

On the Ring-LWE and Polynomial-LWE problems Miruna Roşca, Damien Stehlé, Alexandre Wallet Alexandre Wallet 1 / 37

ApproxSVP ApproxSVP ( O K -modules) ( O K -ideals) [LS15] [PRS17] [AD17] decision decision RLWE ∨ search RLWE ∨ Module-LWE This work decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision search MPLWE MPLWE Alexandre Wallet 2 / 37

ApproxSVP ApproxSVP ( O K -modules) ( O K -ideals) [LS15] [PRS17] [AD17] decision decision RLWE ∨ search RLWE ∨ Module-LWE This work decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision search MPLWE MPLWE Alexandre Wallet 2 / 37

“On variants of Polynomial-LWE and Ring-LWE” (joint work with M. Rosça and D. Stehlé , submitted) Results: (A) The 3 settings are essentially † the same (B) Search = Decision in all settings. † : for a large number of “reasonable” polynomials, up to polynomial factors on noise, assuming some information about the field are known. Alexandre Wallet 3 / 37

LWE and Cryptography 1 Regev’s encryption scheme Learning With Errors (LWE) and its hardness Ring-based LWE 2 Reductions between Ring-based LWE’s 3 Search to Decision 4 Alexandre Wallet 4 / 37

An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , χ distribution over Z q = Z /q Z . Alice Evil Bruno s ∈ Z n µ ∈ { 0 , 1 } q ∈ M m × n ( Z q ) , e i ← ֓ χ A � � A , b − − − → = s + e mod q b A Alexandre Wallet 5 / 37

An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , χ distribution over Z q = Z /q Z . Alice Evil Bruno s ∈ Z n µ ∈ { 0 , 1 } q ∈ M m × n ( Z q ) , e i ← ֓ χ A � � A , b − − − → = s + e mod q b A e ′ = b ′ − � a ′ , s � mod q ← E A , b ( µ ) = ( � a i , � ( a ′ , b ′ ) b i + µ ⌊ q ← − − − 2 ⌋ ) i ∈I i ∈I Alexandre Wallet 5 / 37

An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , χ distribution over Z q = Z /q Z . Alice Evil Bruno s ∈ Z n µ ∈ { 0 , 1 } q ∈ M m × n ( Z q ) , e i ← ֓ χ A � � A , b − − − → = s + e mod q b A e ′ = b ′ − � a ′ , s � mod q ← E A , b ( µ ) = ( � a i , � ( a ′ , b ′ ) b i + µ ⌊ q ← − − − 2 ⌋ ) i ∈I i ∈I Correctness: q, m, χ chosen s.t. e ′ = � e i ≤ q � 4 whp. 0 if e ′ ∼ 0 Dec s ( a ′ , b ′ ) = 1 if e ′ ∼ q 2 Alexandre Wallet 5 / 37

Learning With Errors [R’05] n ∈ N ∗ , q ≤ poly ( n ) a prime χ → D r discrete Gaussian distribution Z q := Z /q Z . LWE distribution: Fix s ∈ Z n q .  ֓ U ( Z n  a ← q )  A s ,D r : e ← ֓ D r   outputs ( a , b = ( � a , s � + e ) mod q ) Search-LWE q,r : �  � �  � A , b = A s + e , find s  From m  ← − → n Alexandre Wallet 6 / 37

Hardness [R’05] Decision-LWE q,D r : Given ( a i , b i ) i ≤ m either from A s ,D r or U ( Z n q × Z q ) , decide which one was given. Lattice L = A Z n , λ 1 = length of a shortest vector in L \ { 0 } . ApproxSVP γ : Given d > 0 , decide if λ 1 ≤ d or λ 1 > dγ . 2 O ( n ) time poly ( n ) For general lattices: � O ( n ) γ 2 poly ( n ) Alexandre Wallet 7 / 37

Hardness [R’05] Decision-LWE q,D r : Given ( a i , b i ) i ≤ m either from A s ,D r or U ( Z n q × Z q ) , decide which one was given. Lattice L = A Z n , λ 1 = length of a shortest vector in L \ { 0 } . ApproxSVP γ : Given d > 0 , decide if λ 1 ≤ d or λ 1 > dγ . 2 O ( n ) time poly ( n ) For general lattices: � O ( n ) γ 2 poly ( n ) solving Decision-LWE solving breaking quantum � classical � = ApproxSVP poly ( n ) Regev’s encryption solving Search-LWE Alexandre Wallet 7 / 37

LWE in practice Perks: Drawbacks: ✓ simple description, simple operations ✕ key-size ✓ flexible parameters, many possibilities ✕ speed (compared to other) ✓ post-quantum Frodo † VS Current crypto RSA 3072-bits ECDH nistp256 (NIST competitor) Public key ∼ 11 KBytes ∼ 400 bytes 32 bytes Handshake ∼ 2 . 5 ms ∼ 5 ms ∼ 1 . 3 ms † : [BCD++’17] Alexandre Wallet 8 / 37

LWE and Cryptography 1 Ring-based LWE 2 Polynomial-LWE: ideal lattices Ring-LWE: more algebraic number theory Reductions between Ring-based LWE’s 3 Search to Decision 4 Alexandre Wallet 9 / 37

Add structure: ideal lattices Change Z � R = Z [ X ] /f Good example: f = X n + 1 , n = 2 d . f monic, irreducible, degree n . polynomials vectors/matrices s = � s i X i ∈ R q = R/qR s = ( s 0 , . . . , s n − 1 ) ∈ Z n q Product: a · s mod f Mult. by a = use Toeplitz matrix   a 0 a 1 . . . a n − 1   − a n − 1 a 0 . . . a n − 2   T f ( a ) =   . . ... . .   . . − a 1 − a 2 . . . a 0 Alexandre Wallet 10 / 37

Add structure: ideal lattices Change Z � R = Z [ X ] /f Good example: f = X n + 1 , n = 2 d . f monic, irreducible, degree n . polynomials vectors/matrices s = � s i X i ∈ R q = R/qR s = ( s 0 , . . . , s n − 1 ) ∈ Z n q Product: a · s mod f Mult. by a = use Toeplitz matrix   a 0 a 1 . . . a n − 1   − a n − 1 a 0 . . . a n − 2   T f ( a ) =   . . ... . .   . . − a 1 − a 2 . . . a 0 Noise: e = � e i X i , e i ← e = ( e 0 , . . . , e n − 1 ) ∈ R n ֓ D r i . ( a , b = T f ( a ) · s ⊤ + e mod q ) Sample: ( a, b = a · s + e mod qR ) Alexandre Wallet 10 / 37

Polynomial-LWE (PLWE) Classic LWE � �     T f ( a 1 ) e 1      b = s + e  s + A b = k  = ⇒ k ′ n T f ( a 2 )  e 2       T f ( a k ′ ) e k ′ � � ← − − − → ← − − − → n n 1 PLWE sample = n correlated LWE samples. Alexandre Wallet 11 / 37

PLWE and its hardness [SSTX’09] R = Z [ X ] /f � r = diag ( r i ) i ≤ n , r i ≥ 0 f monic, irreducible, degree n . D � r n -dimensional Gaussian . PLWE q,� r,f distribution: Fix s ∈ R q   a ← ֓ U ( R q )  B s,D � r : e ← ֓ D � r   outputs ( a, b = ( a · s + e ) mod qR ) Search-PLWE q,� r,f and Decision-PLWE q,� r,f defined as before. Alexandre Wallet 12 / 37

PLWE and its hardness [SSTX’09] R = Z [ X ] /f � r = diag ( r i ) i ≤ n , r i ≥ 0 f monic, irreducible, degree n . D � r n -dimensional Gaussian . PLWE q,� r,f distribution: Fix s ∈ R q   a ← ֓ U ( R q )  B s,D � r : e ← ֓ D � r   outputs ( a, b = ( a · s + e ) mod qR ) Search-PLWE q,� r,f and Decision-PLWE q,� r,f defined as before. → T f ( a ) · Z n : ideal lattice polynomial ideal: aR = { multiples of a in R } �− Solve Search-PLWE ⇒ solve ApproxSVP γ in ideal lattices for γ ≤ poly ( n ) . Alexandre Wallet 12 / 37

Practice vs. Theory Perks: New Hope † ✓ fast and compact operations (NIST competitor) ✓ still post-quantum Public key: ∼ 2 KBytes Handshake: ∼ 0 . 3 ms Theoretical limitations: ✗ γ depends on f ’s “expansion factor” → Restricts “good f ’s” ✗ Working with R relies too much on f → Difficult proofs, lacks tools and flexibility † : [ADPS’15] Alexandre Wallet 13 / 37

Number fields and rings R = Z [ X ] /f is a number ring . Lives in K = Q [ X ] /f , a number field . Structure: K = Span Q (1 , X, . . . , X n − 1 ) where n = deg f Field embeddings: σ j ( a ) = � a i α ji ∈ C where f = � i ≤ n ( X − α j ) . f has s 1 real roots and 2 s 2 (conjugate) complex roots. Alexandre Wallet 14 / 37

Number fields and rings R = Z [ X ] /f is a number ring . Lives in K = Q [ X ] /f , a number field . Structure: K = Span Q (1 , X, . . . , X n − 1 ) where n = deg f Field embeddings: σ j ( a ) = � a i α ji ∈ C where f = � i ≤ n ( X − α j ) . f has s 1 real roots and 2 s 2 (conjugate) complex roots. The space H = { ( v 1 , . . . , v n ) ∈ R s 1 × C 2 s 2 : ∀ i ≥ 1 , v i + s 1 + s 2 = v i + s 1 } . Two representations Coefficient embedding Minkowski embedding → a = ( a 0 , . . . , a n − 1 ) ∈ Q n a �− a �− → σ ( a ) = ( σ 1 ( a ) , . . . , σ n ( a )) ∈ H σ ( ab ) = ( σ i ( a ) σ i ( b )) i ≤ n Alexandre Wallet 14 / 37

The ring of algebraic integers O K = { x ∈ K roots of monic polynomials in Z [ X ] } It is a lattice: O K = Z b 1 + . . . + Z b n for some b i ∈ O K ( b i � = 0) . Dual (lattice): O ∨ K = { y ∈ H : ∀ x ∈ O K , � y , x � ∈ Z } . ✓ O K is a regularization of R = Z [ X ] /f − R � O K in general ✓ O K is intrinsic to K : its structure does not depend on f It may not be possible to take Computing a Z -basis for O K is 1 , X, . . . , X n − 1 as a basis usually hard . Alexandre Wallet 15 / 37

RLWE [LPR’10] R � O K , use Minkowski embedding. H = Span R ( v 1 , . . . , v n ) ֓ D r i , outputs e = � e i v i ∈ H . D H r : e i ← Assume a Z -basis of O K is known. � RLWE ∨ r distribution: Fix s ∈ O ∨ K,q := O ∨ K /q O ∨ q,� K   a ← ֓ U ( O K,q )  A ∨ ֓ D H r : e ← s,D � � r   outputs ( a, b = ( as + e ) mod q O ∨ K ) Search-RLWE ∨ r and Decision-RLWE ∨ r defined as before. q,� q,� “Primal” variant: s ∈ O K,q := O K /q O K . Alexandre Wallet 16 / 37