Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik Vercauteren 1 , 3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 1 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, ◮ claim to have indeed found vulnerable instances. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, ◮ claim to have indeed found vulnerable instances. ◮ Vulnerable meaning: leak partial information about the secret with non-negligible probability. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, ◮ claim to have indeed found vulnerable instances. ◮ Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, ◮ they did not set up Ring-LWE as described in [LPR]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, ◮ claim to have indeed found vulnerable instances. ◮ Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, ◮ they did not set up Ring-LWE as described in [LPR]. ◮ Their instantiation generates many noise-free equations EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, ◮ claim to have indeed found vulnerable instances. ◮ Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, ◮ they did not set up Ring-LWE as described in [LPR]. ◮ Their instantiation generates many noise-free equations ◮ allowing to recover the entire secret with near certainty. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors ◮ investigate if evaluation-at-1-attacks apply to Ring-LWE, ◮ claim to have indeed found vulnerable instances. ◮ Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, ◮ they did not set up Ring-LWE as described in [LPR]. ◮ Their instantiation generates many noise-free equations ◮ allowing to recover the entire secret with near certainty. Currently no threat to Ring-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2 / 15
1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b 0 a 10 a 11 . . . a 1 , n − 1 s 0 b 1 a 20 a 21 . . . a 2 , n − 1 s 1 ≈ · . . . . . ... . . . . . . . . . . . . . b n − 1 a m 0 a m 1 a m , n − 1 s n − 1 over a finite field F p for a secret ( s 0 , s 1 , . . . , s n − 1 ) ∈ F n p where EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3 / 15
1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b 0 a 10 a 11 . . . a 1 , n − 1 s 0 b 1 a 20 a 21 . . . a 2 , n − 1 s 1 ≈ · . . . . . ... . . . . . . . . . . . . . b n − 1 a m 0 a m 1 a m , n − 1 s n − 1 over a finite field F p for a secret ( s 0 , s 1 , . . . , s n − 1 ) ∈ F n p where ◮ each equation is perturbed by a “small” error, i.e. b i = a i 0 s 0 + a i 1 s 1 + · · · + a i , n − 1 s n − 1 + e i , EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3 / 15
1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b 0 a 10 a 11 . . . a 1 , n − 1 s 0 b 1 a 20 a 21 . . . a 2 , n − 1 s 1 ≈ · . . . . . ... . . . . . . . . . . . . . b n − 1 a m 0 a m 1 a m , n − 1 s n − 1 over a finite field F p for a secret ( s 0 , s 1 , . . . , s n − 1 ) ∈ F n p where ◮ each equation is perturbed by a “small” error, i.e. b i = a i 0 s 0 + a i 1 s 1 + · · · + a i , n − 1 s n − 1 + e i , ◮ the a ij ∈ F p are chosen uniformly randomly, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3 / 15
1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b 0 a 10 a 11 . . . a 1 , n − 1 s 0 b 1 a 20 a 21 . . . a 2 , n − 1 s 1 ≈ · . . . . . ... . . . . . . . . . . . . . b n − 1 a m 0 a m 1 a m , n − 1 s n − 1 over a finite field F p for a secret ( s 0 , s 1 , . . . , s n − 1 ) ∈ F n p where ◮ each equation is perturbed by a “small” error, i.e. b i = a i 0 s 0 + a i 1 s 1 + · · · + a i , n − 1 s n − 1 + e i , ◮ the a ij ∈ F p are chosen uniformly randomly, ◮ an adversary can ask for new equations ( m > n ). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3 / 15
1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b 0 a 10 a 11 . . . a 1 , n − 1 s 0 e 0 b 1 a 20 a 21 . . . a 2 , n − 1 s 1 e 1 = · + . . . . . . ... . . . . . . . . . . . . . . . b n − 1 a m 0 a m 1 a m , n − 1 s n − 1 e n − 1 over a finite field F p for a secret ( s 0 , s 1 , . . . , s n − 1 ) ∈ F n p where ◮ each equation is perturbed by a “small” error, i.e. b i = a i 0 s 0 + a i 1 s 1 + · · · + a i , n − 1 s n − 1 + e i , ◮ the a ij ∈ F p are chosen uniformly randomly, ◮ an adversary can ask for new equations ( m > n ). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3 / 15
1. Learning With Errors (LWE) Features: ◮ hardness reduction from classical lattice problems, ◮ versatile building block for cryptography, enabling exciting applications (FHE, PQ crypto, . . . ) EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 4 / 15
1. Learning With Errors (LWE) Features: ◮ hardness reduction from classical lattice problems, ◮ versatile building block for cryptography, enabling exciting applications (FHE, PQ crypto, . . . ) Drawback: key size. ◮ To hide the secret one needs an entire linear system: b 0 a 10 a 11 . . . a 1 , n − 1 s 0 b 1 a 20 a 21 . . . a 2 , n − 1 s 1 ≈ · . . . . . . ... . . . . . . . . . . b n − 1 a m 0 a m 1 . . . a m , n − 1 s n − 1 ↑ ↑ ↑ n log p mn log p n log p EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 4 / 15
2. Ring-based LWE Solution: ◮ Identify key space Z [ x ] F n with p ( p , f ( x )) for some monic deg n polynomial f ( x ) ∈ Z [ x ] , by viewing s 0 + s 1 x + s 2 x 2 + · · · + s n − 1 x n − 1 . ( s 0 , s 1 , . . . , s n − 1 ) as EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5 / 15
2. Ring-based LWE Solution: ◮ Identify key space Z [ x ] F n with p ( p , f ( x )) for some monic deg n polynomial f ( x ) ∈ Z [ x ] , by viewing s 0 + s 1 x + s 2 x 2 + · · · + s n − 1 x n − 1 . ( s 0 , s 1 , . . . , s n − 1 ) as ◮ Use samples of the form b 0 s 0 with A a the matrix of b 1 s 1 ≈ A a · multiplication by some random . . . . . . a ( x ) = a 0 + a 1 x + · · · + a n − 1 x n − 1 . b n − 1 s n − 1 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5 / 15
Recommend
More recommend
