On Ideal Lattices and Learning With Errors Over Rings
Vadim Lyubashevsky1 Chris Peikert 2 Oded Regev1
1Tel Aviv University
2Georgia Institute of Technology
Eurocrypt 2010
1 / 12 (After enough uniform ai’s, secret s is uniquely determined w/hp.)
√ n ≤ error q
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])
n I Search: find secret s ∈ Zq given many ‘noisy inner products’
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n).
2 / 12 (After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])
√ n ≤ error q
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
n a1 ← Zq , b1 ≈ ha1 , si mod q n a2 ← Zq , b2 ≈ ha2 , si mod q . .
2 / 12 I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])
(After enough uniform ai’s, secret s is uniquely determined w/hp.)
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
n a1 ← Zq , b1 = ha1 , si + e1 ∈ Zq n a2 ← Zq , b2 = ha2 , si + e2 ∈ Zq . . √ n ≤ error q
2 / 12 I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])
(After enough uniform ai’s, secret s is uniquely determined w/hp.)
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . t At , b = A s + e . . . . √ n ≤ error q
2 / 12 I (Also some classical hardness for search-LWE [P’09])
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05]
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . t At , b = A s + e . . . . √ n ≤ error q
(After enough uniform ai’s, secret s is uniquely determined w/hp.)
2 / 12 I (Also some classical hardness for search-LWE [P’09])
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05]
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . t At , b = A s + e . . . . √ n ≤ error q
(After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)
2 / 12 I (Also some classical hardness for search-LWE [P’09])
The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . t At , b = A s + e . . . . √ n ≤ error q
(After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05]
2 / 12 The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . t At , b = A s + e . . . . √ n ≤ error q
(After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) 2 / 12 I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]
I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .
LWE is Versatile What kinds of crypto can we do with LWE?
3 / 12 I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .
LWE is Versatile What kinds of crypto can we do with LWE?
I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]
3 / 12 UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .
LWE is Versatile What kinds of crypto can we do with LWE?
I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]
I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
3 / 12 LWE is Versatile What kinds of crypto can we do with LWE?
I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]
I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .
3 / 12 I Can amortize each a over many secrets si, but still O˜(n) work per scalar output.
I Public key crypto schemes have rather large keys: . . . . pk = At , b Ω(n) . . . . | {z } n I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message
LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a s + e = b ∈ Zq |
4 / 12 I Public key crypto schemes have rather large keys: . . . . pk = At , b Ω(n) . . . . | {z } n I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message
LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a s + e = b ∈ Zq I Can amortize each a over | many secrets si, but still O˜(n) work per scalar output.
4 / 12 I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message
LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a s + e = b ∈ Zq I Can amortize each a over | many secrets si, but still O˜(n) work per scalar output.
I Public key crypto schemes have rather large keys: . . . . pk = At , b Ω(n) . . . . | {z } n
4 / 12 LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a s + e = b ∈ Zq I Can amortize each a over | many secrets si, but still O˜(n) work per scalar output.
I Public key crypto schemes have rather large keys: . . . . pk = At , b Ω(n) . . . . | {z } n I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message
4 / 12 F Careful: w/ small error, coordinate-wise multiplication is not secure!
I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].
Question I How to define the product ‘?’ so that distribution is pseudorandom?
Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.
Wishful Thinking. . . Get n pseudorandom | | | | I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |
5 / 12 I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].
F Careful: w/ small error, coordinate-wise multiplication is not secure!
Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.
Wishful Thinking. . . Get n pseudorandom | | | | I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |
Question I How to define the product ‘?’ so that distribution is pseudorandom?
5 / 12 I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].
Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.
Wishful Thinking. . . Get n pseudorandom | | | | I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |
Question I How to define the product ‘?’ so that distribution is pseudorandom?
F Careful: w/ small error, coordinate-wise multiplication is not secure!
5 / 12 I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].
Wishful Thinking. . . Get n pseudorandom | | | | I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |
Question I How to define the product ‘?’ so that distribution is pseudorandom?
F Careful: w/ small error, coordinate-wise multiplication is not secure!
Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.
5 / 12 Wishful Thinking. . . Get n pseudorandom | | | | I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |
Question I How to define the product ‘?’ so that distribution is pseudorandom?
F Careful: w/ small error, coordinate-wise multiplication is not secure!
Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.
I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].
5 / 12 F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)
F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.
1 Two main theorems:
worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)
2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.
Our Results
0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE
6 / 12 F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)
F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.
2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.
Our Results
0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE
1 Two main theorems:
worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)
6 / 12 F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.
2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.
Our Results
0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE
1 Two main theorems:
worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)
F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)
6 / 12 2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.
Our Results
0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE
1 Two main theorems:
worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)
F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)
F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.
6 / 12 Our Results
0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE
1 Two main theorems:
worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)
F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)
F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.
2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.
6 / 12 I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq
a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .
I Decision: distinguish (ai , bi) from uniform (ai , bi).
F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.
polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’
LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.
7 / 12 I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq
a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .
I Decision: distinguish (ai , bi) from uniform (ai , bi).
polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’
LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.
F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.
7 / 12 I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq
a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .
I Decision: distinguish (ai , bi) from uniform (ai , bi).
LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.
F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.
polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’
7 / 12 I Decision: distinguish (ai , bi) from uniform (ai , bi).
LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.
F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.
polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’
I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq
a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .
7 / 12 LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.
F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.
polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’
I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq
a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .
I Decision: distinguish (ai , bi) from uniform (ai , bi).
7 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.
n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext
q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])
I Decrypt: recover m from c2 − c1 × s.
I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?
Proof of CPA Security
1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])
2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE
A New Kind of LWE Cryptosystem
I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)
8 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.
I Decrypt: recover m from c2 − c1 × s.
I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?
Proof of CPA Security
1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])
2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE
A New Kind of LWE Cryptosystem
I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)
n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext
q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])
8 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.
I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?
Proof of CPA Security
1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])
2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE
A New Kind of LWE Cryptosystem
I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)
n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext
q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])
I Decrypt: recover m from c2 − c1 × s.
8 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.
Proof of CPA Security
1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])
2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE
A New Kind of LWE Cryptosystem
I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)
n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext
q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])
I Decrypt: recover m from c2 − c1 × s.
I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?
8 / 12 Proof of CPA Security
1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])
2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE
A New Kind of LWE Cryptosystem
I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)
n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext
q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])
I Decrypt: recover m from c2 − c1 × s.
I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!? But only O˜(n) key size, Enc, Dec for n-bit message.
8 / 12 A New Kind of LWE Cryptosystem
I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)
n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext
q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])
I Decrypt: recover m from c2 − c1 × s.
I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!? But only O˜(n) key size, Enc, Dec for n-bit message.
Proof of CPA Security
1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])
2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE
8 / 12 I Proof follows the outline of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.
I New reduction technique for ‘clearing the ideal’(I/qI 7→ R/qR), in an ‘algebra-preserving’ way. Uses Chinese remainder theorem and theory of duality for ideals.
Hardness of Search Ring-LWE
Theorem 1 For any large enough q, solving search Ring-LWE is as hard as quantumly solving poly(n)-approx SVP in any (worst-case) ideal lattice from the ring.
9 / 12 I New reduction technique for ‘clearing the ideal’(I/qI 7→ R/qR), in an ‘algebra-preserving’ way. Uses Chinese remainder theorem and theory of duality for ideals.
Hardness of Search Ring-LWE
Theorem 1 For any large enough q, solving search Ring-LWE is as hard as quantumly solving poly(n)-approx SVP in any (worst-case) ideal lattice from the ring.
I Proof follows the outline of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.
9 / 12 Hardness of Search Ring-LWE
Theorem 1 For any large enough q, solving search Ring-LWE is as hard as quantumly solving poly(n)-approx SVP in any (worst-case) ideal lattice from the ring.
I Proof follows the outline of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.
I New reduction technique for ‘clearing the ideal’(I/qI 7→ R/qR), in an ‘algebra-preserving’ way. Uses Chinese remainder theorem and theory of duality for ideals.
9 / 12 I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
Both + and × are coordinate-wise! Nice geometric behavior.
n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
n To get ideal lattices, embed R and its ideals into R . How?
A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
10 / 12 + is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
Both + and × are coordinate-wise! Nice geometric behavior.
n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
n To get ideal lattices, embed R and its ideals into R . How?
10 / 12 I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
Both + and × are coordinate-wise! Nice geometric behavior.
n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
n To get ideal lattices, embed R and its ideals into R . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
10 / 12 Both + and × are coordinate-wise! Nice geometric behavior.
n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
n To get ideal lattices, embed R and its ideals into R . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
10 / 12 n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
Both + and × are coordinate-wise! Nice geometric behavior.
A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
n To get ideal lattices, embed R and its ideals into C . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
10 / 12 n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
n To get ideal lattices, embed R and its ideals into C . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
Both + and × are coordinate-wise! Nice geometric behavior.
10 / 12 A Word on Ideal Lattices
n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.
n To get ideal lattices, embed R and its ideals into Zq. How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’
n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z
+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)
I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):
1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C
Both + and × are coordinate-wise! Nice geometric behavior.
n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.
10 / 12 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots? Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n.
Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
11 / 12 Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)
1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?
Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n.
11 / 12 Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)
2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?
Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1.
11 / 12 Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)
j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?
Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]).
11 / 12 (Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)
Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?
11 / 12 (Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)
Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots? Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
11 / 12 Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.
Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots? Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.
(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.) 11 / 12 I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit. I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?) I Questions? More details? Find me here:
Summary and Conclusions
I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case.
12 / 12 I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?) I Questions? More details? Find me here:
Summary and Conclusions
I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case. I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit.
12 / 12 I Questions? More details? Find me here:
Summary and Conclusions
I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case. I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit. I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?)
12 / 12 Summary and Conclusions
I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case. I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit. I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?) I Questions? More details? Find me here:
12 / 12