An Introduction to the Problem in 3 Hours

賴奕甫 Peter W. Shor

There are polynomial-time quantum algorithms that can solve • Factorization Problem • Problem (over ℤ푝) About ECC

There is also a quantum algorithm that can solve • Discrete Logarithm Problem over Elliptic Curves ; (

If there was a practical quantum computer, then it was able to break • RSA encryption, signature scheme • Diffie-Hellman Key Exchange, Elgamal, DSA • Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve DSA (ECDSA) • …etc

No more forward secrecy. Post-Quantum

Lattice-based cryptography • Post-quantum cryptography • is a branch of cryptography • Multivariate cryptography that considers cryptographic • Hash-based cryptography algorithms which is still • Code-based cryptography secure against quantum • Supersingular elliptic curve isogeny cryptography attack.

LWE Problem

• The learning with errors problem (LWE) is included in the - based cryptography. • The LWE problem is versatile (it can be used to construct a variety of cryptographic algorithms). For example, A Simple Introduction to the Lattice

• This is a lattice in ℝ2.

It can be written as… • 푥, 푦 |푥, 푦 ∈ ℤ

Also written as… 1 0 • ℤ + ℤ 0 1 1 0 • ℤ + ℤ 1 1 1 1 • ℤ + ℤ 0 1 • ... A Lattice A Simple Introduction to the Lattice

푛 • Definition 1. For a linear independent set 퐵 = 푢1, … , 푢푘 ⊂ ℝ , a lattice 퐿 generated by 퐵 in ℝ푛 is defined to be

퐿 = ℤ푢푖 .

(If 푘 = 푛, then the lattice is said to be a full-rank lattice.)

There is an equivalent definition for the lattice in ℝ푛-- A Simple Introduction to the Lattice

• Definition 2. A set 퐿 ⊂ ℝ푛 is said to be a discrete additive subgroup if it satisfies the following two conditions:

1. It is closed under addition and substraction. (additive subgroup)

2. There is a constant 휖 > 0 such that for any 푣 ∈ 퐿

퐿 ∩ 푤 ∈ ℝ푛: 푣 − 푤 = 푣 . (discrete)

• Theorem. In ℝ푛, a subset of ℝ푛 is a lattice if and only if it is a discrete additive subgroup.

(see p.25 in Algebraic by Neukirch ) Mythology in Lattice-Based Cryptography

• Given a linear independent generating set of a lattice 퐿 in ℝ푛 . • 퐶푙표푠푒푠푡 푣푒푐푡표푟 푝푟표푏푙푒푚 (CVP): Given: a vector 푤 in ℝ푛. Request: Find 푣 ∈ 퐿 such that 푤 − 푣 = min 푤 − 푢 푢∈퐿 • 푆ℎ표푟푒푠푡 푣푒푐푡표푟 푝푟표푏푙푒푚 (SVP): Request: Find a nonzero vector 푣 ∈ 퐿 such that

푣 = min 푢 푢∈퐿− 0

Hardness: CVP≥SVP (sketch)

• Given a lattice 퐿 generated by a independent set 푏1, … , 푏푛 .

• Write the shortest nonzero lattice point 푣 = 푎푖푏푖.

(Note that 푎푖 ∈ ℤ can not be all even.)

′ ′ • For each 푖, feed the CVP oracle with 퐿푖, 푏푖 where lattice 퐿푖 is generated by {푏1, … , 푏푖−1, 2푏푖, 푏푖+1, 푏푛}

• And the output is 푣푖

• Then 푣푗 − 푏푗 is the shortest nonzero vector for some 푗.

(Why?) Linear Equations

푇 4 • There is a secret vector 풔 = 푠1, 푠2, 푠3, 푠4 ∈ ℤ13

• Given 1푠1 + 2푠2 + 5푠3 + 2푠4 = 9 푚표푑 13 12푠1 + 1푠2 + 1푠3 + 6푠4 = 7 푚표푑 13 6푠1 + 10푠2 + 3푠3 + 6푠4 = 1 푚표푑 13 10푠1 + 4푠2 + 12푠3 + 8푠4 = 0 푚표푑 13 . • Solve for 풔 The Learning with Errors Problem (Search)

푇 4 • There is a secret vector 풔 = 푠1, 푠2, 푠3, 푠4 ∈ ℤ13 • Given 5푠1 + 5푠2 + −3 푠3 + 7푠4 ≈ 6 푚표푑 13 −1푠1 + 1푠2 + 2푠3 + −5 푠4 ≈ −4 푚표푑 13 −3 푠1 + 3푠2 + 7푠3 + 4푠4 ≈ 2 푚표푑 13 5푠1 + 4푠2 + −1 푠3 + 2푠4 ≈ −5 푚표푑 13 −4 푠1 + 6푠2 + 3푠3 + −2 푠4 ≈ 5 푚표푑 13 −2 푠1 + 3푠2 + 1푠3 + 6푠4 ≈ −3 푚표푑 13 . • There is an odds of ½ for each equation that is added by 1. • Solve for 풔 LWE distribution

• (Definition)

푛 1. For a secret vector 풔 ∈ ℤ푞 and distribution 휒, an LWE 푛 distribution 풜풔,푛,푞,휒 generates a sample 풂, 푏 ∈ ℤ푞 × 푚×푛 푚 ℤ푞 or (퐴, 풃) ∈ ℤ푞 × ℤ푞 where 풂 sampled uniformly from 푛 ℤ푞 and 푏 = 풂, 풔 + 푒 where 푒 ← 휒. 풂ퟏ

풂ퟐ LWE Problem (Search) × 풔 풂 + 풆 풃 = ퟑ ⋮ • (Definition) 2. LWE problem (Search):

풏 • Secret 풔 ∈ ℤ풒. Given 푝표푙푦 푛 LWE samples 퐴, 풃 from 풜풔,푛,푞,휒. • Find 풔. LWE Problem (Search) Dimension 푛 Modulus 푞 Error distribution 휒

Adversary Challenger

퐴, 풃

풏 풏 Output: 풔 ∈ ℤ풒 Secret 풔 ∈ ℤ풒 Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 from 풜풔,푛,푞,휒 LWE Problem (Decisional)

• (Definition) 3. Decisional LWE problem:

$ 풏 • 풔 ← ℤ풒. Given 푝표푙푦(푛) samples (퐴, 풃) which are either from 풜풔,푛,푞,휒 푚×푛 푚 or generated uniformly over ℤ푞 × ℤ푞 (with fair probabilities) • Determine which is the case in non-negligible advantage. LWE Problem (Decisional) Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger

퐴, 풃

$ 풏 풔 ← ℤ풒 Output: {“LWE”, ”uniform at random”} Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 either from 풜풔,푛,푞,휒 or uniformly at random over 푚×푛 푚 ℤ푞 × ℤ푞 For example

• Dimension 푛 = 4 • Modulus 푞 = 13 • Error distribution 휒. (±1 ← 휒 with prob ¼, 0 ← 휒 with ½ )

Given 0 6 0 −2 5 1 −6 6 0 −2 4 7 −5 6 6 3 −3 , 4 4 3 −2 1 1 9 −5−3−5−4−1 0 Q: LWE distribution or uniform distribution? Remark.

• The distribution 휒 is called the “error distribution”. 휒 is typically chosen to be a discrete Gaussian (normal) distribution with small standard deviation. • The hardness varies with the S.D. of 휒

• Oded Regev shows that 퐿푊퐸 ≥ 푎푝푝푟표푥−푆(퐼)푉푃 & 푎푝푝푟표푥−GapSVP with a quantum reduction. • Specifically, with 푑푖푚푒푛푠푖표푛 푛, modulus 푞 = 푝표푙푦 푛 , and error distribution (discrete Gaussian distribution) 휒 of standard deviation 훼푞,

퐿푊퐸푛,푞,휒 ≥ ( 푛/ 훼)−푆(퐼)푉푃. Little Knowledge: How to check candidate 풔 ?

푚×푛 푚 • Given 푝표푙푦(푛) LWE samples (퐴, 풃 = 퐴풔 + 풆) ∈ ℤ푞 × ℤ푞 for some 푛 fixed secret 풔 ∈ ℤ푞 .

• Assume you find an algorithm that can generate a small set of candidate answers. How can you check which one may be the correct one? A Little Question

For any 푐 ∈ ℤ푞. 휒 is some distribution over ℤ푞.

Pr 푎 + 푏 = 푐 =? (푎 and b are generated independently) $ b←ℤ푞 푎←휒 If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem

“≤”

• Given 푝표푙푦(푛) samples either from a LWE distribution 풜풔,푛,푞,휒 for some 푛 푚×푛 푚 unknown 풔 ∈ ℤ푞 or generated uniformly over ℤ푞 × ℤ푞 . 푛 • Take some of them to the oracle of SLWE problem to find 풔 ∈ ℤ푞. • Then ?

“≥”

푛 • Given 푝표푙푦(푛) samples a LWE distribution 풜풔,푛,푞,휒 for some unknown 풔 ∈ ℤ푞 . Claim we can solve it with a DLWE oracle. If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem

“≥”

• Given 푝표푙푦(푛) samples 풂풊, 푏푖 from a LWE distribution 풜풔,푛,푞,휒 for some 푇 푛 unknown 풔 = 푠1, … , 푠푛 ∈ ℤ푞 . Claim we can solve for 푠1 with a DLWE oracle.

1. Choose guessing 푘 ∈ ℤ푞. 푛 푛 2. Define a transformation 휙푘: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 by ′ 풂 + 푟 , 푏 + 푘 ∙ 푟 ← 휙푘 풂, 푏 , ′ 푇 푛 where 푟 ∈ ℤ푞 is generated uniformly at random and 푟 = 푟, 0, … , 0 ∈ ℤ푞.

: ⇒? If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem

“≥”

푛 푛 • Define a transformation 휙푘: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 by ′ 풂 + 푟 , 푏 + 푘 ∙ 푟 ← 휙푘 풂, 푏 , ′ 푇 푛 where 푟 ∈ ℤ푞 is generated uniformly at random and 푟 = 푟, 0, … , 0 ∈ ℤ푞.

: 풂풊, 푏푖 = 풂풊, 풂풊, 풔 + 푒푖 ′ ′ ′ 풂풊 + 푟 , 푏푖 + 푘 ∙ 푟 = 풂풊 + 풓 , 풂풊 + 풓 , 푠 + 푒푖 + 푟 ∙ 푘 − 푠1

If 푘 = 푠1, ⇒?

If 푘 ≠ 푠1, ⇒? Short Secret DLWE Problem: Dimension 푛 Modulus 푞 Error distribution 휒

Adversary Challenger

퐴, 풃

Output: {“LWE”, ”uniform at random”} 풔 ← 흌풏 Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 either from 풜풔,푛,푞,휒 or uniformly at random over 푚×푛 푚 ℤ푞 × ℤ푞 Lemma: Short Secret DLWE Problem≥DLWE problem

• Given access to the short secret LWE problem.

$ 푛×푛 푇 푛×푛 • Given LWE instances (퐴 ∈ ℤ푞 , 풃 = 퐴 푠 + 풆풔) where 퐴 ← ℤ푞 , $ 푛 unknown 푠 ← ℤ푞 and 푒푠 generated from 휒. (DLWE problem setting) • Say 퐴 is invertible. 푛 푛 • Consider a transformation 휙: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 휙 풂′, 푏′ = −퐴−1풂′, 푏′ + −퐴−1풂′, 푏 ′ 푛 ′ ′ ′ • Given a LWE instance (풂 ∈ ℤ푞, 푏 = 풂 , 푠 + 푒 ) • Compute:휙 풂′, 푏′ −1 ′ −1 ′ = −퐴 풂 , −퐴 풂 , 푒푠 + 푒′ ⇒ ? A Taste of Passive Security Proof with DLWE problem

$ 푛×푛 퐴 ← ℤ푞 푛 푛 풔풂 ← 휒 ; 풆풂 ← 휒 푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞

푛×푛 푛 퐴, 풃 ∈ ℤ푞 × ℤ푞

′ 푛 풃 , 푐 ∈ ℤ푞 × ℤ푞

푚 ∈ 0,1 풔 , 풆 ← 휒푛 Decrypt: 푩 푩 푞 푒퐵′ ← 휒 푐 − 풃′풔 = 푒′ − 풆푻 푠 ≈ 푚 ∙ 푚표푑 푞 풂 푏 푩 푎 2 ′ 푻 푻 푛 풃 = 풔푩퐴 + 풆푩 ∈ ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game0 (original protocol)

$ 푛×푛 퐴 ← ℤ푞 푛 푛 풔풂 ← 휒 ; 풆풂 ← 휒 푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞

퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 풔 , 풆 ← 휒푛 Decrypt: 푩 푩 ′ ′ 푻 푒퐵′ ← 휒 푐 − 풃 풔풂 = 푒퐵 − 풆푩푠푎 푞 풃′ = 풔푻 퐴 + 풆푻 ∈ ℤ푛 ≈ 푚 ∙ 푚표푑 푞 푩 푩 푞 2 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game1

$ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞

퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 푛 풔푩, 풆푩 ← 휒 푒퐵′ ← 휒 ′ 푻 푻 푛 풃 = 풔푩퐴 + 풆푩 ∈ ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game2

$ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞

퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 푛 풔푩 ← 휒 푒퐵′ ← 휒 $ ′ 푛 풃 ← ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game3

$ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞

퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚

$ 푚 ← 0,1 $ ′ 푛 풃 ← ℤ푞 $ 푐 ← ℤ푞 Public Key Cryptosystems Based on the LWE Problem or Related Problems Contents

• Review • Diffie-Hellman Like Key Exchange • Peikert’s Method • RLWE in Brief • NewHope Review Lattice-based cryptography

Multivariate cryptography Shor Post-Quantum Algorithm Cryptography Code-based etc. cryptography Break (quantum) Hash-based Integer cryptography Factoring Problem Supersingular Diffie-Hellman elliptic curve Problem isogeny (over ℤ or elliptic curves) 푞 cryptography Review Lattice-based CVP cryptography SVP

Multivariate cryptography LWE

Post-Quantum Cryptography Code-based cryptography

Hash-based cryptography

Supersingular elliptic curve isogeny cryptography Lattices in Cryptography

푛 • Definition 1. For a linear independent set 퐵 = 푢1, … , 푢푘 ⊂ ℝ , a lattice 퐿 generated by 퐵 in ℝ푛 is defined to be

퐿 = ℤ푢푖 .

• Given a generating set of a lattice 퐿 in ℝ푛 . • 푪풍풐풔풆풔풕 풗풆풄풕풐풓 풑풓풐풃풍풆풎 (CVP): Given: and a vector 푤 in ℝ푛 Request: Find 푣 ∈ 퐿 such that 푤 − 푣 = min 푤 − 푢 푢∈퐿

• 푺풉풐풓풆풔풕 풗풆풄풕풐풓 풑풓풐풃풍풆풎 (SVP): Request: Find a nonzero vector 푣 ∈ 퐿 such that

푣 = min 푢 푢∈퐿− 0 Hardness

• Oded Regev shows that 퐿푊퐸 ≥ 푎푝푝푟표푥−푆(퐼)푉푃 & 푎푝푝푟표푥−GapSVP with a quantum reduction. There is also a classical one in a bit more wider condition provided by Chris Peikert. • Specifically, with 푑푖푚푒푛푠푖표푛 푛, modulus 푞 = 푝표푙푦 푛 , and error distribution (discrete normal/Gaussian distribution) 휒 of standard deviation 훼푞,

퐿푊퐸푛,푞,휒 ≥ ( 푛/ 훼)−푆(퐼)푉푃. Diffie-Hellman Like Structure [DXL12]

$ 푛×푛 퐴 ← ℤ푞 푛 푛 풔 , 풆 ← 휒푛 풔풂 ← 휒 ; 풆풂 ← 휒 푩 푩 푛 풃′ = 퐴푇풔 + 풆 ∈ ℤ푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞 푩 푩 푞

푛×푛 푛 퐴, 풃 ∈ ℤ푞 × ℤ푞

′ 풃 ∈ ℤ푞

푻 ′ 푻 푇 푻 푻 푻 푻 풔풂풃 = 풔풂퐴 풔푩 + 풔풂풆푩 푚표푑 푞 풔푩풃 = 풔푩퐴풔풂 + 풔푩풆풂 푚표푑 푞 Example: Diffie-Hellman Like Structure

2 42 −31 0 3 퐴 = 45 −26 21 풔푩 = 1 ; 풆푩 = −1 14 −5 −23 0 1 −1 1 −8 ′ 푇 풔풂 = 2 ; 풆풂 = 0 풃 = 퐴 풔푩 + 풆푩 = −7 −2 −3 19 40 풃 = 퐴풔 + 풆 = −24 풂 풂 퐴, 풃 −37 풃′

푻 ′ 푻 푇 푻 푻 푻 푻 풔풂풃 = 풔풂퐴 풔푩 + 풔풂풆푩 = 48 푚표푑 푞 풔푩풃 = 풔푩퐴풔풂 + 풔푩풆풂 = −47 푚표푑 푞 Peikert’s Key Exchange (Sketch)

Chris Peikert

푞 Error Tolerance: 푠푎푒푏 − 푠푏푒푎 ∞ ≤ 8

43 2 42 −31 Example: 퐴 = 45 −26 21 14 −5 −23 Peikert’s Method −1 1 0 3 풔풂 = 2 ; 풆풂 = 0 풔푩 = 1 ; 풆푩 = −1 −2 −3 0 1 40 −8 ′ 푇 풃 = 퐴풔풂 + 풆풂 = −24 풃 = 퐴 풔푩 + 풆푩 = −7 −37 19

푻 ′ 푻 풔풂풃 = 48 푚표푑 푞 풔 풃 = −47 푚표푑 푞 풔푻 풃 = 0 푩 푩 2 푘푒푦 = 1 푘푒푦 = 풔푻 풃 = 1 푩 2 Remark.

• The previous scheme has been (over) simplified.

• Is the output, conditioned on the transmitting messages, unbiased? Drawback:

2 1. Public key size (bit length)≈ 푛 ⋅ log2 푞

2. Transmission bandwidth ≈ 2 ⋅ (푛 ⋅ log2 푞) 3. Computation ≈ 2푛2 (modular multiplications) Intuition of -LWE (on the public key).

• In LWE problem (or LWE-based cryptosystem), we need a matrix $ $ 푛×푛 푚×푛 퐴 ← ℤ푞 or 퐴 ← ℤ푞 . 풂ퟏ

풂ퟐ

풂ퟑ ⋮

• What if we only generated the first row uniformly at random and generating an anti-cyclic matrix ?

(풄ퟏ, 풄ퟐ, … , 풄풏)

• (The multiplication can be sped up in (−풄풏, 풄ퟏ, … , 풄풏−ퟏ) some specific condition.) (−풄풏−ퟏ, −풄풏, … , 풄풏−ퟐ) • Hardness Guarantee? ⋮

(−풄풏−ퟐ, −풄풏−ퟏ, … , 풄풏−ퟑ) Hardness of Ring LWE

• Ring-LWE>approx-SIVP over lattices.

• Suspicion: 1. Gap-SVP is not hard on ideal lattices. 2. SVP/SIVP is an NP-hard problem. SIVP over ideal lattices???

• Ring-LWE (RLWE)

푚×푛 • LWE is over ℤ푞 . • Ring-LWE is over a ring 푅. • Consider an on it. • Typically, 푅 = ℤ 푥 푥푛 + 1 where 푛 is power-of-2.

Omitting the tough version, we introduce a simple and widely used one. Ring-DLWE Problem

• 푅 = ℤ 푥 < 푥푛 + 1 > , where 푛 is power−of−2

• 푅푞 = 푅/푞푅, where 푞 ∈ ℕ • 풳 ∶ an error distribution over 푅

$ • For 푠 ← 휒, the RLWE distribution 퐴푠,풳,푞,푛 over 푅푞 × 푅푞 $ which is sampled by choosing 푎 ∈ 푅푞 uniformly at random and 푒 ← 풳, and output 푎, 푏 = 푎 ∙ 푠 + 푒 푚표푑 푞

• Given poly(n) samples from 퐴푠,풳,푞,푛 or uniformly random in 푅푞 × 푅푞, determine where the samples from.

50 Diffie-Hellman Like Structure (Ring LWE form)

푅 = ℤ 푥 < 푥푛 + 1 > 푅푞 = 푅/푞푅 풳 ∶ an error distribution over 푅

(퐴, 푢푎 = 퐴푠푎 + 푒푎) $ $ 퐴 ← 푅푞 푠푏, 푒푏 ← 휒 $ 푢 = 퐴푠 + 푒 푢 = 퐴푠 + 푒 푠푎, 푒푎 ← 휒 푏 푏 푏 푏 푏 푏

푢푎 = 퐴푠푎 + 푒푎

푣푎 = 푠푎푢푏 푣푏 = 푠푏푢푎 푣푎 − 푣푏 = 푠푎푒푏 − 푠푏푒푎 = 푠푏퐴푠푎 + 푠푏푒푎 = 푠푎퐴푠푏 + 푠푎푒푏

If 풳 is 훽-bounded, then 2 푣푎 − 푣푏 ∞ = 푠푎푒푏 − 푠푏푒푎 ∞ ≤ 2푛훽 with overwhelming probability

51

• The following is a “sketch” of the reconciliation mechanism. Reconciliation in New Hope – Intuition1 (2 in 1 out)

ퟐ ퟐ • 푣0, 푣1 ∈ ℤ풒, consider 푣0/푞, 푣1/푞 ∈ ℝ 1 1 퐿푎푡푡푖푐푒 푔푒푛푒푟푎푡푒푑 푏푦 1,0 , , 2 2

Bob Alice

Grey : k=1 White: k=0 Example

K=1 Alice Bob K=1

Alice Bob Reconciliation in New Hope - Security

“0”?

“1”? Drawback

• Whole “difference vector” is too heavy Reconciliation in New Hope – Intuition2 (quantization) Example

K=1 Alice Bob K=1

Alice Bob Reconciliation in New Hope

1 1 1 1 • 퐷 ⊆ ℤ4푏푒 푎 푓푢푙푙 푙푎푡푡푖푐푒 푤푖푡ℎ 푏푎푠푖푠 푢 , 푢 , 푢 , 푔 = , , , , 4 1 2 3 2 2 2 2 4 4 푤ℎ푒푟푒 푢푖 푖=1 푖푠 푡ℎ푒 푠푡푎푛푑푎푟푑 푏푎푠푖푠 푓표푟 ℤ • 푪푽푷 ∶ 푎푛 퐶푉푃 푎푙푔표푟푖푡ℎ푚 푓푟표푚 ℝ4 푡표 퐷 푫 ퟒ 4 $ • 푯풆풍풑푹풆풄 풙; 풃 ← ퟎ, ퟏ ∶ 푎푛 푎푙푔. 푒푛푐표푑푖푛푔 푡ℎ푒 푙표푐푎푡푖표푛 푖푛푓표푟푚푎푡푖표푛 • 푹풆풄 풙, 풓 ∶ 푟푒푐표푛푐푖푙푖푎푡푖표푛 푤푖푡ℎ 푡ℎ푒 푖푛푓표푟푚푎푡푖표푛 푟

Note: Including b, there are some technique in 퐻푒푙푝푅푒푐 to remove the bias. New Hope

From the paper 흍ퟏퟔ

From the paper 흍ퟏퟔ ∶ Replace Rounded Gaussian with binomial distribution

• High-precision Gaussian sampling is expensive

• 휓16 ∶ the centered binomial distribution of variance 8 is rather trivial in hardware and software without decreasing too much security for the protocol

• More precisely, 퐹푟푒푠ℎ 풂

From the paper 퐹푟푒푠ℎ 풂: Against the all-for-the-price-of-one attacks Unusually Large n=1024 Unusually Large n=1024

• In security of level 128, the previous schemes are built with n at most 512

• The security of LWE-based schemes has not been thoroughly studied

• In view of RSA, the standardization and deployment of a scheme awakens further cryptanalytic effort q=1 mod 2n and 14-bit Prime

From the paper Number-Theoretic Transform (NTT)

• Algorithm speeding up modular polynomial multiplications

• 푎, 푏 ∈ ℛ. 퐶표푚푝푢푡푒 푎푏 = 푁푇푇−1 푁푇푇 푎 ∙ 푁푇푇 푏

푡ℎ • q=1 mod 2n: ensures the 푛 root of unity 휔 & its square root 훾 exist in ℤ푞 , auxiliary elements in the algorithm. e.g: For q=12287, n=1024 here, 휔 = 49 and 훾 = 7 with 휔1024 = 1 푚표푑 푞 and 휔 = 훾2 NTT

• With the Montgomery multiplication constant 푅 = 218 > 푞 < 214 • 218214 ≤ 232 (within 32-bits) is nice for software implementation Parameter Considerations in Conclusion

Speed/cost: • 푞 = 1 푚표푑 2푛 & 푞 < 214 (NTT)

• 휓16 (cost down) • Improved Rec/HelpRec (decreasing the modulus q)

Security/failure: • Fresh 풂 (Against the all-for-the-price-of-one attacks) • Improved Rec/HelpRec • 푛 = 1024 (be wary) Reference

• Google Security Blog: https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

• CECPQ1results: https://www.imperialviolet.org/2016/11/28/cecpq1.html

• V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings.

• E. Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe . Post-quantum key exchange - a new hope.

• Chris Peikert. Lattice cryptography for the internet. In International Workshop on Post- Quantum Cryptography, pages 197–219. Springer, 2014.

• Jintai Ding. A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688, 2012. https://eprint.iacr.org/2012/688/20121210:115748.

• Jintai Ding, Xiang Xie, and Xiaodong Lin. A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (29 Jul 2014 revised), 2012. http://eprint.iacr.org/2012/688.

• Oded Regev. The learning with errors problem. Invited survey in CCC, page 15, 2010. Reference

• Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious transfer. In Annual International Cryptology Conference, pages 554–571. Springer, 2008.

• Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. SIAM Journal on Computing, 40(6):1803–1844, 2011.

• Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of the forty-first annual ACM symposium on Theory of computing, pages 333–342. ACM, 2009.

• Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT), 6(3):13, 2014.

• Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious transfer. In Annual International Cryptology Conference, pages 554– 571. Springer, 2008.

• Gerald J.Janusz. Algebraic Number Fields, 2푛푑 ed. END