on the ring lwe and polynomial lwe problems
play

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien - PowerPoint PPT Presentation

Nov 20, 2022 •161 likes •659 views

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35 A. Wallet About todays talk Its post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction

  1. On the Ring-LWE and Polynomial-LWE problems Miruna Roşca, Damien Stehlé, Alexandre Wallet 1/35 A. Wallet

  2. About today’s talk It’s post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction from hard † algorithmic problems Classical public-key crypto (RSA, DLog) broken by quantum computers. ⇒ We need quantum hard † problems . This talk is about: Lattice-based cryptography (a post-quantum assumption) Reductions between hard † problems related to lattices Theoretical stuff, but impacts the understanding of practical schemes † : at least conjecturally 2/35 A. Wallet

  3. About today’s talk It’s post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction from hard † algorithmic problems Classical public-key crypto (RSA, DLog) broken by quantum computers. ⇒ We need quantum hard † problems . This talk is about: Lattice-based cryptography (a post-quantum assumption) Reductions between hard † problems related to lattices Theoretical stuff, but impacts the understanding of practical schemes † : at least conjecturally 2/35 A. Wallet

  4. ApproxSVP ( O K -ideals) [PRS17] K = Q [ X ] /f O ∨ Decision RLWE ∨ Search RLWE ∨ K This work “Ring-based O K Decision RLWE Search RLWE LWE” Decision PLWE Z [ X ] /f Search PLWE 3/35 A. Wallet

  5. ApproxSVP ( O K -ideals) [PRS17] K = Q [ X ] /f O ∨ Decision RLWE ∨ Search RLWE ∨ K “Ring-based O K Decision RLWE Search RLWE LWE” Decision PLWE Z [ X ] /f Search PLWE 3/35 A. Wallet

  6. “On variants of Polynomial-LWE and Ring-LWE” (EUROCRYPT 2018) Results: (A) The 3 settings are essentially † the same (B) Search = Decision in all settings. Not described: Worst-case hardness for Polynomial-LWE. † : for a large number of “reasonable” polynomials, up to polynomial factors on noise, assuming some information about the field are known. 4/35 A. Wallet

  7. LWE and Cryptography 1 Regev’s encryption scheme Learning With Errors (LWE) and its hardness Ring-based LWE 2 Reductions between Ring-based LWE’s 3 Search to Decision 4 Open problems 5 5/35 A. Wallet

  8. An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , D distribution over Z q = Z /q Z . 6/35 A. Wallet

  9. An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , D distribution over Z q = Z /q Z . 6/35 A. Wallet

  10. An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , D distribution over Z q = Z /q Z . Correctness: q, m, χ chosen s.t. e ′ = � e i ≤ q 4 whp. 0 if e ′ ∼ 0 � Dec s ( a ′ , b ′ ) = 1 if e ′ ∼ q 2 6/35 A. Wallet

  11. Learning With Errors [Regev’05] n ∈ N ∗ , q ≤ poly ( n ) a prime D → D σ discrete Gaussian distribution Z q := Z /q Z . LWE distribution: Fix s ∈ Z n q .  ֓ U ( Z n  a ← q )  A s ,σ,q : e ← ֓ D σ   outputs ( a , b = ( � a , s � + e ) mod q ) 7/35 A. Wallet

  12. LWE hardness and lattices [Regev’05] ApproxSVP γ : Given B , compute λ 1 up to a factor γ . For γ = poly ( n ) , best known algo runs in time 2 O ( n ) (classic, quantum ). solve Decision-LWE solve break quantum � classical � = ApproxSVP poly ( n ) Regev’s encryption solve Search-LWE Practical limitations of LWE: public data size, speed. A solution: use structured matrices/lattices. 8/35 A. Wallet

  13. LWE hardness and lattices [Regev’05] ApproxSVP γ : Given B , compute λ 1 up to a factor γ . For γ = poly ( n ) , best known algo runs in time 2 O ( n ) (classic, quantum ). solve Decision-LWE solve break quantum � classical � = ApproxSVP poly ( n ) Regev’s encryption solve Search-LWE Practical limitations of LWE: public data size, speed. A solution: use structured matrices/lattices. 8/35 A. Wallet

  14. LWE and Cryptography 1 Ring-based LWE 2 Polynomial-LWE: ideal lattices Ring-LWE: more algebraic number theory Reductions between Ring-based LWE’s 3 Search to Decision 4 Open problems 5 9/35 A. Wallet

  15. Polynomial-LWE (PLWE) [SSTX09] q to R q := Z q [ X ] /f . Good example: f = X n + 1 , with n = 2 d . Change Z n polynomials integer vectors/matrices s = � s i X i ∈ R q s = ( s 0 , . . . , s n − 1 ) ⊤ ∈ Z n q Produit: a · s mod f Mult. by a with structured matrix  a 0 − a 1 . . . − a n − 1  a 1 a 0 . . . − a n − 2   T f ( a ) =  . .  ... . .   . .   a n − 1 a n − 2 . . . a 0 10/35 A. Wallet

  16. 11/35 A. Wallet

  17. PLWE and its hardness [SSTX’09] R = Z [ X ] /f Σ : any pos.def.matrix f monic, irreducible, degree n . D Σ n -dimensional Gaussian . PLWE distribution: Fix s ∈ R q   a ← ֓ U ( R q )  PLWE q, Σ ,f,s : e ← ֓ D Σ   outputs ( a, b = ( a · s + e ) mod qR ) Solve Search-PLWE ⇒ solve ApproxSVP γ in ideal lattices for γ ≤ poly ( n ) . → T f ( a ) · Z n ideal lattice? Ex: aR = { multiples of a in R } �− 12/35 A. Wallet

  18. PLWE and its hardness [SSTX’09] R = Z [ X ] /f Σ : any pos.def.matrix f monic, irreducible, degree n . D Σ n -dimensional Gaussian . PLWE distribution: Fix s ∈ R q   a ← ֓ U ( R q )  PLWE q, Σ ,f,s : e ← ֓ D Σ   outputs ( a, b = ( a · s + e ) mod qR ) Solve Search-PLWE ⇒ solve ApproxSVP γ in ideal lattices for γ ≤ poly ( n ) . → T f ( a ) · Z n ideal lattice? Ex: aR = { multiples of a in R } �− 12/35 A. Wallet

  19. Practice vs. Theory Perks: New Hope ✓ fast and compact operations (NIST competitor) ✓ post-quantum scheme Public key: ∼ 2 KBytes Handshake: ∼ 0 . 3 ms Theoretical limitations: → Restricts “good f ’s” ✗ γ depends on f ’s “expansion factor” → Lack of generality/flexibility ✗ Working with R relies too much on f 13/35 A. Wallet

  20. Number fields and rings R = Z [ X ] /f is a number ring . Lives in K = Q [ X ] /f , a number field . Structure: K = Span Q (1 , X, . . . , X n − 1 ) where n = deg f Field embeddings: σ j ( a ) = � a i α ji ∈ C where f = � i ≤ n ( X − α j ) . f has s 1 real roots and 2 s 2 (conjugate) complex roots. Two representations Coefficient embedding “Canonical” embedding → a = ( a 0 , . . . , a n − 1 ) ⊤ ∈ Q n → σ ( a ) = ( σ 1 ( a ) , . . . , σ n ( a )) ⊤ ∈ H a �− a �− σ ( ab ) = ( σ i ( a ) σ i ( b )) i ≤ n H is a R -inner-product space of dimension n in C n “canonical norm” � = “coefficient norm” 14/35 A. Wallet

  21. Number fields and rings R = Z [ X ] /f is a number ring . Lives in K = Q [ X ] /f , a number field . Structure: K = Span Q (1 , X, . . . , X n − 1 ) where n = deg f Field embeddings: σ j ( a ) = � a i α ji ∈ C where f = � i ≤ n ( X − α j ) . f has s 1 real roots and 2 s 2 (conjugate) complex roots. Two representations Coefficient embedding “Canonical” embedding → a = ( a 0 , . . . , a n − 1 ) ⊤ ∈ Q n → σ ( a ) = ( σ 1 ( a ) , . . . , σ n ( a )) ⊤ ∈ H a �− a �− σ ( ab ) = ( σ i ( a ) σ i ( b )) i ≤ n H is a R -inner-product space of dimension n in C n “canonical norm” � = “coefficient norm” 14/35 A. Wallet

  22. The ring of algebraic integers O K = { x ∈ K roots of monic polynomials in Z [ X ] } It is a lattice: O K = Z b 1 + . . . + Z b n for some b i ∈ O K ( b i � = 0) . (As any lattice, it has a dual O ∨ K .) O K : regularization of Z [ X ] /f O K : intrinsic to K . (in general, R � O K ) Structure independent from f It may not be possible to take Computing a Z -basis for O K 1 , X, . . . , X n − 1 as a basis is usually hard . 15/35 A. Wallet

  23. Ring-LWE (RLWE) [LPR10] New ring choice: O K,q = O K /q O K . α 1 , . . . , α n ∈ C : roots of f . algebraic integers complex vectors/matrices s ∈ O ∨ σ ( s ) = ( s ( α 1 ) , . . . , s ( α n )) ∈ C n K,q Product: a · s Mult. by a coordinate-wise σ ( as ) = ( a ( α 1 ) s ( α 1 ) , . . . , a ( α n ) s ( α n )) D ( a ) := Diag ( a ( α 1 ) , . . . , a ( α n )) . 16/35 A. Wallet

  24. RLWE [LPR’10] R � O K , use canonical embedding. H = Span R ( v 1 , . . . , v n ) ֓ D Σ , outputs e = � e i v i ∈ H . D H Σ : e i ← Assume a Z -basis of O K is known. RLWE ∨ q, Σ ,s distribution: Fix s ∈ O ∨ K,q := O ∨ K /q O ∨ K   a ← ֓ U ( O K,q )  RLWE ∨ ֓ D H q, Σ ,s : e ← Σ   outputs ( a, b = ( as + e ) mod q O ∨ K ) “Primal” variant: RLWE q, Σ ,s with s ∈ O K,q := O K /q O K . the dual appears “naturally” in the reduction for some rings, describing the dual is easy (but then, so is getting to “primal” version) 17/35 A. Wallet

  25. ✓ “Canonical” objects ✓ Flexible (theoretical) tools ✓ More general proofs  � [LPR’10] Decision-RLWE ∨ = Search-RLWE ∨ for Galois fields [PRS’17] Decision ⇒ ApproxSVP for RLWE ∨ , RLWE, PLWE Situation? Using RLWE ∨ variants → Deal with O ∨ K and floating point numbers Z -basis of O K ? → long precomputations, non-uniform reductions In practice (NewHope), f = X 2 d − 1 , O K = Z [ X ] /f and coeff. embedding. What if cyclotomic fields are “weak”? 18/35 A. Wallet

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet Alexandre Wallet 1 / 37 ApproxSVP ApproxSVP ( O K -modules) ( O K -ideals) [LS15] [PRS17] [AD17] decision decision RLWE search RLWE

959 views • 54 slides
MA/CSSE 473 Day 38 Problems Decision Problems P and NP Polynomial time algorithms INTRO TO

MA/CSSE 473 Day 38 Problems Decision Problems P and NP Polynomial time algorithms INTRO TO

MA/CSSE 473 Day 38 Problems Decision Problems P and NP Polynomial time algorithms INTRO TO COMPUTATIONAL COMPLEXITY 1 The Law of the Algorithm Jungle Polynomial good, exponential bad! The latter is obvious, the former may need some

510 views • 16 slides
Pyrit: Polynomial Ring Transforms for Fast Erasure Coding Some parts of this work have been

Pyrit: Polynomial Ring Transforms for Fast Erasure Coding Some parts of this work have been

Pyrit: Polynomial Ring Transforms for Fast Erasure Coding Some parts of this work have been patented Jonathan Detchart and Jrme Lacan July 18, 2017 J. Detchart, J. Lacan NWCRG Erasure coding via polynomial ring transforms 1/ 14 Outline

316 views • 18 slides
I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

O N THE R ESOLUTIONS OF ( SOME ) S IMPLICIAL F ORESTS S ARA F ARIDI D ALHOUSIE U NIVERSITY I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers i,j ( I ) ? Eliahou-Kervaire Splittings: When I = J + K

289 views • 25 slides
Polynomial-Time Problems Lecture 4: The polynomial method Part II: All-pairs shortest paths

Polynomial-Time Problems Lecture 4: The polynomial method Part II: All-pairs shortest paths

Complexity Theory of Polynomial-Time Problems Lecture 4: The polynomial method Part II: All-pairs shortest paths Sebastian Krinninger Overview on APSP Algorithms Floyd-Warshall algorithm: ( 3 ) Inserts one node at a time

687 views • 42 slides
Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known.

Hard Problems Some problems are hard to solve. No polynomial time algorithm is known. E.g., NP-hard problems such as machine scheduling, bin packing, 0/1 knapsack. Is this necessarily bad? Data encryption relies on difficult

721 views • 15 slides
Polynomial Chains in Gentry- Szydlo Algorithm Se7ng R ring

Polynomial Chains in Gentry- Szydlo Algorithm Se7ng R ring

Polynomial Chains in Gentry- Szydlo Algorithm Se7ng R ring of integers in m-th cyclotomic field K n degree of K v element of R

494 views • 37 slides
Polynomial-Time Problems Lecture 3: The polynomial method Part I: Orthogonal Vectors Sebastian

Polynomial-Time Problems Lecture 3: The polynomial method Part I: Orthogonal Vectors Sebastian

Complexity Theory of Polynomial-Time Problems Lecture 3: The polynomial method Part I: Orthogonal Vectors Sebastian Krinninger Organization of lecture No lecture on 26.05. (State holiday) 2 nd exercise sheet: Next week Tutorials:

380 views • 34 slides
A compact Arnoldi algorithm for polynomial eigenvalue problems Yangfeng Su, Junyi Zhang, Zhaojun

A compact Arnoldi algorithm for polynomial eigenvalue problems Yangfeng Su, Junyi Zhang, Zhaojun

A compact Arnoldi algorithm for polynomial eigenvalue problems Yangfeng Su, Junyi Zhang, Zhaojun Bai School of Mathematical Sciences Fudan University January, 2008, Taiwan RANMEP2008 Goals Polynomial Eigenvalue Problems (PEPs): A 0

494 views • 37 slides
NP-Hardness reductions Definition: P is the class of problems that can be solved in polynomial

NP-Hardness reductions Definition: P is the class of problems that can be solved in polynomial

NP-Hardness reductions Definition: P is the class of problems that can be solved in polynomial time, that is n c for a constant c Roughly, if a problem is in P then it's easy, and if it's not in P then it's hard. We'd like to show that

1.23k views • 107 slides
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR10 V.

810 views • 77 slides
Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal explanation of reductions: We have two problems, X and Y. Suppose we have a black-box solving problem X in polynomial-time. Can we use the black-box

1.38k views • 32 slides
Solving Evacuation Problems in Polynomial Space Miriam Schlter & Martin Skutella

Solving Evacuation Problems in Polynomial Space Miriam Schlter & Martin Skutella

Solving Evacuation Problems in Polynomial Space Miriam Schlter & Martin Skutella Solving Evacuation Problems in Polynomial Space Flows over Time Definition Solving Evacuation Problems in Polynomial Space Flows over Time Definition

650 views • 40 slides
Super-polynomial time approximability of inapproximable problems Edouard Bonnet, Michael

Super-polynomial time approximability of inapproximable problems Edouard Bonnet, Michael

Introduction Min Independent Dominating Set Max Induced Path/Forest/Tree Max Minimal Vertex Cover Super-polynomial time approximability of inapproximable problems Edouard Bonnet, Michael Lampis, Vangelis Paschos SZTAKI, Hungarian Academy

1.35k views • 88 slides
Reachability Problems in Nondeterministic Polynomial . Maps on the Integers Sang-Ki Ko 1 Reino

Reachability Problems in Nondeterministic Polynomial . Maps on the Integers Sang-Ki Ko 1 Reino

. . . . . . . . . . . . Reachability Problems in Nondeterministic Polynomial . Maps on the Integers Sang-Ki Ko 1 Reino Niskanen 2 Igor Potapov 3 1 Korea Electronics Technology Institute, South Korea 2 Department of Computer Science,

1.39k views • 105 slides
Computability and Complexity Lecture 11 Polynomial time verifiers More problems in NP

Computability and Complexity Lecture 11 Polynomial time verifiers More problems in NP

Computability and Complexity Lecture 11 Polynomial time verifiers More problems in NP Polynomial time reducibility given by Jiri Srba Lecture 11 Computability and Complexity 1/13 Motivation Example: HAMPATH HAMPATH def = { G , s , t |

282 views • 13 slides
Galois groups arising from arithmetic differential equations ALEXANDRU BUIUM University of New

Galois groups arising from arithmetic differential equations ALEXANDRU BUIUM University of New

Galois groups arising from arithmetic differential equations ALEXANDRU BUIUM University of New Mexico 1. Aim of the talk 1) Briefly introduce arithmetic differential equations (Reference: AB, Inventiones 1995; AB, book, AMS 2005) 2) Show

484 views • 32 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides
The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on

The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on

The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on Lattices Porto, Portugal 2 Oct 2012 1 / 13 LWE Over Rings (Over-Simplified) [LPR10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q :=

1.31k views • 79 slides
IPORPR WG (IP over Resilient Packet Rings) Chairs: F. Kastenholz; A. Herrera IETF IPoRPR Mar

IPORPR WG (IP over Resilient Packet Rings) Chairs: F. Kastenholz; A. Herrera IETF IPoRPR Mar

IPORPR WG (IP over Resilient Packet Rings) Chairs: F. Kastenholz; A. Herrera IETF IPoRPR Mar 2001 IPoRPR Work Group F.Kastenholz; A. Herrera IPoRPR WG Status Current Charter focused on IP over IEEE 802.17 RPR WG deliverable is a

320 views • 11 slides
SIMPSONS for beam modelling in high intensity rings Shinji Machida STFC/Rutherford Appleton

SIMPSONS for beam modelling in high intensity rings Shinji Machida STFC/Rutherford Appleton

SIMPSONS for beam modelling in high intensity rings Shinji Machida STFC/Rutherford Appleton Laboratory 19 September 2019 Many thanks to H. Hotchi for his contribution to the code and letting me show his results. Based on the presentation at

520 views • 40 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
Supertubes Supersymmetric Black Black Rings Rings Supertubes Supersymmetric and and S 2 S 1

Supertubes Supersymmetric Black Black Rings Rings Supertubes Supersymmetric and and S 2 S 1

Supertubes Supersymmetric Black Black Rings Rings Supertubes Supersymmetric and and S 2 S 1 David Mateos Mateos David Emparan & DM , to appear Microscopic Entropy of the Black Ring [hep-th/0411187] M. Cyrier, M. Guica, DM

431 views • 16 slides
Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Schur-rings (S-rings) Automorphism groups of S-rings Final (personal) remarks Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel joint work with Mikhail Klin Institut fr Algebra Technische

1.47k views • 98 slides

More recommend