How (Not) to Instantiate Ring-LWE Chris Peikert University of - PowerPoint PPT Presentation

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12

Conclusions 2 / 12

Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 / 12

Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 ‘Peculiar’ aspects of the Ring-LWE definition and worst-case hardness theorems—adopted for generality and tightness—also yield provable immunity to the attacks (and generalizations). 2 / 12

Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 ‘Peculiar’ aspects of the Ring-LWE definition and worst-case hardness theorems—adopted for generality and tightness—also yield provable immunity to the attacks (and generalizations). 3 For Ring-LWE security, proper choice of error distribution is essential: error should be ‘well spread’ relative to the ring and its small-norm ideals. 2 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � mod q q a 2 ← Z n , b 2 ≈ � a 2 , s � mod q q . . . 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Versatile and Hard (. . . maybe even for quantum!) worst case ≤ search-LWE ≤ decision-LWE ≤ much crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Versatile and Hard (. . . maybe even for quantum!) worst case ≤ search-LWE ≤ decision-LWE ≤ much crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also a classical reduction for search-LWE [P’09,BLPRS’13] 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. ◮ Cryptosystems have large keys: Ω( n 2 log 2 q ) bits. 3 / 12

Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. ◮ Cryptosystems have large keys: Ω( n 2 log 2 q ) bits. ◮ Inspired by NTRU [HPS’96] , for efficiency we go to the ring setting. . . 3 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R q , given independent samples a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q ( e i ← χ ) . . . 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R q , given independent samples a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q ( e i ← χ ) . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R q 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . ‘(Non-)Dual’ forms are equivalent up to χ , via a ‘tweak:’ [AP’13] 4 / 12

Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . ‘(Non-)Dual’ forms are equivalent up to χ , via a ‘tweak:’ [AP’13] b ↔ t · b induces s ↔ t · s, e ↔ t · e. Tweak may dramatically change width and shape of χ ! 4 / 12

Ring-LWE Instantiations, Hard and Easy ◮ ‘Dual’ R -LWE with wide enough (near-)spherical error is hard: worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any Galois R ) 5 / 12

How (Not) to Instantiate Ring-LWE Chris Peikert University of - PowerPoint PPT Presentation

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on

HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart HE Over

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of