How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12
Conclusions 2 / 12
Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 / 12
Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 ‘Peculiar’ aspects of the Ring-LWE definition and worst-case hardness theorems—adopted for generality and tightness—also yield provable immunity to the attacks (and generalizations). 2 / 12
Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 ‘Peculiar’ aspects of the Ring-LWE definition and worst-case hardness theorems—adopted for generality and tightness—also yield provable immunity to the attacks (and generalizations). 3 For Ring-LWE security, proper choice of error distribution is essential: error should be ‘well spread’ relative to the ring and its small-norm ideals. 2 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � mod q q a 2 ← Z n , b 2 ≈ � a 2 , s � mod q q . . . 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Versatile and Hard (. . . maybe even for quantum!) worst case ≤ search-LWE ≤ decision-LWE ≤ much crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Versatile and Hard (. . . maybe even for quantum!) worst case ≤ search-LWE ≤ decision-LWE ≤ much crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also a classical reduction for search-LWE [P’09,BLPRS’13] 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. ◮ Cryptosystems have large keys: Ω( n 2 log 2 q ) bits. 3 / 12
Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. ◮ Cryptosystems have large keys: Ω( n 2 log 2 q ) bits. ◮ Inspired by NTRU [HPS’96] , for efficiency we go to the ring setting. . . 3 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R q , given independent samples a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q ( e i ← χ ) . . . 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R q , given independent samples a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q ( e i ← χ ) . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R q 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . ‘(Non-)Dual’ forms are equivalent up to χ , via a ‘tweak:’ [AP’13] 4 / 12
Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . ‘(Non-)Dual’ forms are equivalent up to χ , via a ‘tweak:’ [AP’13] b ↔ t · b induces s ↔ t · s, e ↔ t · e. Tweak may dramatically change width and shape of χ ! 4 / 12
Ring-LWE Instantiations, Hard and Easy ◮ ‘Dual’ R -LWE with wide enough (near-)spherical error is hard: worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any Galois R ) 5 / 12
Recommend
More recommend