On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien - PowerPoint PPT Presentation

On the Ring-LWE and Polynomial-LWE problems Miruna Roşca, Damien Stehlé, Alexandre Wallet 1/35 A. Wallet

About today’s talk It’s post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction from hard † algorithmic problems Classical public-key crypto (RSA, DLog) broken by quantum computers. ⇒ We need quantum hard † problems . This talk is about: Lattice-based cryptography (a post-quantum assumption) Reductions between hard † problems related to lattices Theoretical stuff, but impacts the understanding of practical schemes † : at least conjecturally 2/35 A. Wallet

About today’s talk It’s post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction from hard † algorithmic problems Classical public-key crypto (RSA, DLog) broken by quantum computers. ⇒ We need quantum hard † problems . This talk is about: Lattice-based cryptography (a post-quantum assumption) Reductions between hard † problems related to lattices Theoretical stuff, but impacts the understanding of practical schemes † : at least conjecturally 2/35 A. Wallet

ApproxSVP ( O K -ideals) [PRS17] K = Q [ X ] /f O ∨ Decision RLWE ∨ Search RLWE ∨ K This work “Ring-based O K Decision RLWE Search RLWE LWE” Decision PLWE Z [ X ] /f Search PLWE 3/35 A. Wallet

ApproxSVP ( O K -ideals) [PRS17] K = Q [ X ] /f O ∨ Decision RLWE ∨ Search RLWE ∨ K “Ring-based O K Decision RLWE Search RLWE LWE” Decision PLWE Z [ X ] /f Search PLWE 3/35 A. Wallet

“On variants of Polynomial-LWE and Ring-LWE” (EUROCRYPT 2018) Results: (A) The 3 settings are essentially † the same (B) Search = Decision in all settings. Not described: Worst-case hardness for Polynomial-LWE. † : for a large number of “reasonable” polynomials, up to polynomial factors on noise, assuming some information about the field are known. 4/35 A. Wallet

LWE and Cryptography 1 Regev’s encryption scheme Learning With Errors (LWE) and its hardness Ring-based LWE 2 Reductions between Ring-based LWE’s 3 Search to Decision 4 Open problems 5 5/35 A. Wallet

An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , D distribution over Z q = Z /q Z . 6/35 A. Wallet

An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , D distribution over Z q = Z /q Z . 6/35 A. Wallet

An encryption scheme [Regev’05] n “security parameter”, q prime, n ≤ m ≤ poly ( n ) , D distribution over Z q = Z /q Z . Correctness: q, m, χ chosen s.t. e ′ = � e i ≤ q 4 whp. 0 if e ′ ∼ 0 � Dec s ( a ′ , b ′ ) = 1 if e ′ ∼ q 2 6/35 A. Wallet

Learning With Errors [Regev’05] n ∈ N ∗ , q ≤ poly ( n ) a prime D → D σ discrete Gaussian distribution Z q := Z /q Z . LWE distribution: Fix s ∈ Z n q .  ֓ U ( Z n  a ← q )  A s ,σ,q : e ← ֓ D σ   outputs ( a , b = ( � a , s � + e ) mod q ) 7/35 A. Wallet

LWE hardness and lattices [Regev’05] ApproxSVP γ : Given B , compute λ 1 up to a factor γ . For γ = poly ( n ) , best known algo runs in time 2 O ( n ) (classic, quantum ). solve Decision-LWE solve break quantum � classical � = ApproxSVP poly ( n ) Regev’s encryption solve Search-LWE Practical limitations of LWE: public data size, speed. A solution: use structured matrices/lattices. 8/35 A. Wallet

LWE hardness and lattices [Regev’05] ApproxSVP γ : Given B , compute λ 1 up to a factor γ . For γ = poly ( n ) , best known algo runs in time 2 O ( n ) (classic, quantum ). solve Decision-LWE solve break quantum � classical � = ApproxSVP poly ( n ) Regev’s encryption solve Search-LWE Practical limitations of LWE: public data size, speed. A solution: use structured matrices/lattices. 8/35 A. Wallet

LWE and Cryptography 1 Ring-based LWE 2 Polynomial-LWE: ideal lattices Ring-LWE: more algebraic number theory Reductions between Ring-based LWE’s 3 Search to Decision 4 Open problems 5 9/35 A. Wallet

Polynomial-LWE (PLWE) [SSTX09] q to R q := Z q [ X ] /f . Good example: f = X n + 1 , with n = 2 d . Change Z n polynomials integer vectors/matrices s = � s i X i ∈ R q s = ( s 0 , . . . , s n − 1 ) ⊤ ∈ Z n q Produit: a · s mod f Mult. by a with structured matrix  a 0 − a 1 . . . − a n − 1  a 1 a 0 . . . − a n − 2   T f ( a ) =  . .  ... . .   . .   a n − 1 a n − 2 . . . a 0 10/35 A. Wallet

11/35 A. Wallet

PLWE and its hardness [SSTX’09] R = Z [ X ] /f Σ : any pos.def.matrix f monic, irreducible, degree n . D Σ n -dimensional Gaussian . PLWE distribution: Fix s ∈ R q   a ← ֓ U ( R q )  PLWE q, Σ ,f,s : e ← ֓ D Σ   outputs ( a, b = ( a · s + e ) mod qR ) Solve Search-PLWE ⇒ solve ApproxSVP γ in ideal lattices for γ ≤ poly ( n ) . → T f ( a ) · Z n ideal lattice? Ex: aR = { multiples of a in R } �− 12/35 A. Wallet

PLWE and its hardness [SSTX’09] R = Z [ X ] /f Σ : any pos.def.matrix f monic, irreducible, degree n . D Σ n -dimensional Gaussian . PLWE distribution: Fix s ∈ R q   a ← ֓ U ( R q )  PLWE q, Σ ,f,s : e ← ֓ D Σ   outputs ( a, b = ( a · s + e ) mod qR ) Solve Search-PLWE ⇒ solve ApproxSVP γ in ideal lattices for γ ≤ poly ( n ) . → T f ( a ) · Z n ideal lattice? Ex: aR = { multiples of a in R } �− 12/35 A. Wallet

Practice vs. Theory Perks: New Hope ✓ fast and compact operations (NIST competitor) ✓ post-quantum scheme Public key: ∼ 2 KBytes Handshake: ∼ 0 . 3 ms Theoretical limitations: → Restricts “good f ’s” ✗ γ depends on f ’s “expansion factor” → Lack of generality/flexibility ✗ Working with R relies too much on f 13/35 A. Wallet

Number fields and rings R = Z [ X ] /f is a number ring . Lives in K = Q [ X ] /f , a number field . Structure: K = Span Q (1 , X, . . . , X n − 1 ) where n = deg f Field embeddings: σ j ( a ) = � a i α ji ∈ C where f = � i ≤ n ( X − α j ) . f has s 1 real roots and 2 s 2 (conjugate) complex roots. Two representations Coefficient embedding “Canonical” embedding → a = ( a 0 , . . . , a n − 1 ) ⊤ ∈ Q n → σ ( a ) = ( σ 1 ( a ) , . . . , σ n ( a )) ⊤ ∈ H a �− a �− σ ( ab ) = ( σ i ( a ) σ i ( b )) i ≤ n H is a R -inner-product space of dimension n in C n “canonical norm” � = “coefficient norm” 14/35 A. Wallet

Number fields and rings R = Z [ X ] /f is a number ring . Lives in K = Q [ X ] /f , a number field . Structure: K = Span Q (1 , X, . . . , X n − 1 ) where n = deg f Field embeddings: σ j ( a ) = � a i α ji ∈ C where f = � i ≤ n ( X − α j ) . f has s 1 real roots and 2 s 2 (conjugate) complex roots. Two representations Coefficient embedding “Canonical” embedding → a = ( a 0 , . . . , a n − 1 ) ⊤ ∈ Q n → σ ( a ) = ( σ 1 ( a ) , . . . , σ n ( a )) ⊤ ∈ H a �− a �− σ ( ab ) = ( σ i ( a ) σ i ( b )) i ≤ n H is a R -inner-product space of dimension n in C n “canonical norm” � = “coefficient norm” 14/35 A. Wallet

The ring of algebraic integers O K = { x ∈ K roots of monic polynomials in Z [ X ] } It is a lattice: O K = Z b 1 + . . . + Z b n for some b i ∈ O K ( b i � = 0) . (As any lattice, it has a dual O ∨ K .) O K : regularization of Z [ X ] /f O K : intrinsic to K . (in general, R � O K ) Structure independent from f It may not be possible to take Computing a Z -basis for O K 1 , X, . . . , X n − 1 as a basis is usually hard . 15/35 A. Wallet

Ring-LWE (RLWE) [LPR10] New ring choice: O K,q = O K /q O K . α 1 , . . . , α n ∈ C : roots of f . algebraic integers complex vectors/matrices s ∈ O ∨ σ ( s ) = ( s ( α 1 ) , . . . , s ( α n )) ∈ C n K,q Product: a · s Mult. by a coordinate-wise σ ( as ) = ( a ( α 1 ) s ( α 1 ) , . . . , a ( α n ) s ( α n )) D ( a ) := Diag ( a ( α 1 ) , . . . , a ( α n )) . 16/35 A. Wallet

RLWE [LPR’10] R � O K , use canonical embedding. H = Span R ( v 1 , . . . , v n ) ֓ D Σ , outputs e = � e i v i ∈ H . D H Σ : e i ← Assume a Z -basis of O K is known. RLWE ∨ q, Σ ,s distribution: Fix s ∈ O ∨ K,q := O ∨ K /q O ∨ K   a ← ֓ U ( O K,q )  RLWE ∨ ֓ D H q, Σ ,s : e ← Σ   outputs ( a, b = ( as + e ) mod q O ∨ K ) “Primal” variant: RLWE q, Σ ,s with s ∈ O K,q := O K /q O K . the dual appears “naturally” in the reduction for some rings, describing the dual is easy (but then, so is getting to “primal” version) 17/35 A. Wallet

✓ “Canonical” objects ✓ Flexible (theoretical) tools ✓ More general proofs  � [LPR’10] Decision-RLWE ∨ = Search-RLWE ∨ for Galois fields [PRS’17] Decision ⇒ ApproxSVP for RLWE ∨ , RLWE, PLWE Situation? Using RLWE ∨ variants → Deal with O ∨ K and floating point numbers Z -basis of O K ? → long precomputations, non-uniform reductions In practice (NewHope), f = X 2 d − 1 , O K = Z [ X ] /f and coeff. embedding. What if cyclotomic fields are “weak”? 18/35 A. Wallet