On Lattices and Over Rings

Vadim Lyubashevsky1 Chris Peikert 2 Oded Regev1

1Tel Aviv University

2Georgia Institute of Technology

Eurocrypt 2010

1 / 12 (After enough uniform ai’s, secret s is uniquely determined w/hp.)

√ n ≤ error  q

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])

n I Search: find secret s ∈ Zq given many ‘noisy inner products’

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n).

2 / 12 (After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])

√ n ≤ error  q

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

n a1 ← Zq , b1 ≈ ha1 , si mod q n a2 ← Zq , b2 ≈ ha2 , si mod q . .

2 / 12 I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])

(After enough uniform ai’s, secret s is uniquely determined w/hp.)

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

n a1 ← Zq , b1 = ha1 , si + e1 ∈ Zq n a2 ← Zq , b2 = ha2 , si + e2 ∈ Zq . . √ n ≤ error  q

2 / 12 I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09])

(After enough uniform ai’s, secret s is uniquely determined w/hp.)

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .     t  At  , b = A s + e     . . . . √ n ≤ error  q

2 / 12 I (Also some classical hardness for search-LWE [P’09])

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05]

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .     t  At  , b = A s + e     . . . . √ n ≤ error  q

(After enough uniform ai’s, secret s is uniquely determined w/hp.)

2 / 12 I (Also some classical hardness for search-LWE [P’09])

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05]

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .     t  At  , b = A s + e     . . . . √ n ≤ error  q

(After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)

2 / 12 I (Also some classical hardness for search-LWE [P’09])

The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .     t  At  , b = A s + e     . . . . √ n ≤ error  q

(After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05]

2 / 12 The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .     t  At  , b = A s + e     . . . . √ n ≤ error  q

(After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) 2 / 12 I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]

I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .

LWE is Versatile What kinds of crypto can we do with LWE?

3 / 12 I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .

LWE is Versatile What kinds of crypto can we do with LWE?

I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]

3 / 12 UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .

LWE is Versatile What kinds of crypto can we do with LWE?

I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]

I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

3 / 12 LWE is Versatile What kinds of crypto can we do with LWE?

I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09]

I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. . .

3 / 12 I Can amortize each a over many secrets si, but still O˜(n) work per scalar output.

I Public key crypto schemes have rather large keys:     . . . .      pk =  At  , b Ω(n)  .   .  . .  | {z } n I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message

LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product  a s + e = b ∈ Zq |

4 / 12 I Public key crypto schemes have rather large keys:     . . . .      pk =  At  , b Ω(n)  .   .  . .  | {z } n I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message

LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a  s + e = b ∈   Zq I Can amortize each a over | many secrets si, but still O˜(n) work per scalar output.

4 / 12 I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message

LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a  s + e = b ∈   Zq I Can amortize each a over | many secrets si, but still O˜(n) work per scalar output.

I Public key crypto schemes have rather large keys:     . . . .      pk =  At  , b Ω(n)  .   .  . .  | {z } n

4 / 12 LWE is Efficient (. . . sort of) I Getting one extra pseudorandom scalar requires | an n-dim inner product a  s + e = b ∈   Zq I Can amortize each a over | many secrets si, but still O˜(n) work per scalar output.

I Public key crypto schemes have rather large keys:     . . . .      pk =  At  , b Ω(n)  .   .  . .  | {z } n I Can fix A for all users, but at best, still Ω(˜ n2) work to encrypt & decrypt an n-bit message

4 / 12 F Careful: w/ small error, coordinate-wise multiplication is not secure!

I Similar structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].

Question I How to define the product ‘?’ so that distribution is pseudorandom?

Answer n I ‘?’ = Multiplication in a : e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.

Wishful Thinking. . . Get n pseudorandom | | |  |  I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |

5 / 12 I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].

F Careful: w/ small error, coordinate-wise multiplication is not secure!

Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.

Wishful Thinking. . . Get n pseudorandom | | |  |  I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |

Question I How to define the product ‘?’ so that distribution is pseudorandom?

5 / 12 I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].

Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.

Wishful Thinking. . . Get n pseudorandom | | |  |  I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |

Question I How to define the product ‘?’ so that distribution is pseudorandom?

F Careful: w/ small error, coordinate-wise multiplication is not secure!

5 / 12 I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].

Wishful Thinking. . . Get n pseudorandom | | |  |  I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |

Question I How to define the product ‘?’ so that distribution is pseudorandom?

F Careful: w/ small error, coordinate-wise multiplication is not secure!

Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.

5 / 12 Wishful Thinking. . . Get n pseudorandom | | |  |  I n scalars from just one a ? s + e = b ∈ Zq (cheap) product operation? | | | |

Question I How to define the product ‘?’ so that distribution is pseudorandom?

F Careful: w/ small error, coordinate-wise multiplication is not secure!

Answer n I ‘?’ = Multiplication in a polynomial ring: e.g., Zq[x]/(x + 1). Very fast and practical with FFT / NTT: n log n operations mod q.

I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ], and in fully homomorphic encryption [Gen’09].

5 / 12 F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)

F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.

1 Two main theorems:

worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)

2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.

Our Results

0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE

6 / 12 F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)

F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.

2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.

Our Results

0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE

1 Two main theorems:

worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)

6 / 12 F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.

2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.

Our Results

0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE

1 Two main theorems:

worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)

F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)

6 / 12 2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.

Our Results

0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE

1 Two main theorems:

worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)

F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)

F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.

6 / 12 Our Results

0 Definition: a suitable ‘compact’ version of LWE called Ring-LWE

1 Two main theorems:

worst case on ≤ search Ring-LWE ≤ decision Ring-LWE ideal lattices (quantum, any ring of ints) (classical, any cyclotomic ring)

F Concurrently & using different techniques, [SSTX’09] proved a qualitatively weaker version of our first (quantum) reduction. (Specifically: hardness for bounded # of samples in a specific ring.)

F Pseudorandomness is new, and important for crypto & efficiency. Proof requires very different techniques than for standard LWE.

2 A ‘cookbook’ for porting LWE-based schemes to Ring-LWE, plus an entirely new & even more efficient PKE scheme.

6 / 12 I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq

a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .

I Decision: distinguish (ai , bi) from uniform (ai , bi).

F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.

polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’

LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.

7 / 12 I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq

a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .

I Decision: distinguish (ai , bi) from uniform (ai , bi).

polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’

LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.

F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.

7 / 12 I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq

a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .

I Decision: distinguish (ai , bi) from uniform (ai , bi).

LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.

F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.

polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’

7 / 12 I Decision: distinguish (ai , bi) from uniform (ai , bi).

LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.

F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.

polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’

I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq

a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .

7 / 12 LWE Over a Ring n k I Example: ring Rq = Zq[x]/(x + 1) for n = 2 and q = 1 mod 2n.

F Elements may be viewed as dim < n polynomials with Zq coeffs. . . n F . . . or as vectors in Zq.

polynomial ‘+’ ←→ vector addition polynomial ‘×’ ←→ ‘anti-cyclic convolution’

I Search: find the secret s ∈ Rq, given: Error vectors a1 ← Rq , b1 = a1 × s + e1 ∈ Rq

a2 ← Rq , b2 = a2 × s + e2 ∈ Rq . .

I Decision: distinguish (ai , bi) from uniform (ai , bi).

7 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.

n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext

q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])

I Decrypt: recover m from c2 − c1 × s.

I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?

Proof of CPA Security

1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])

2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE

A New Kind of LWE Cryptosystem

I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)

8 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.

I Decrypt: recover m from c2 − c1 × s.

I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?

Proof of CPA Security

1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])

2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE

A New Kind of LWE Cryptosystem

I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)

n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext

q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])

8 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.

I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?

Proof of CPA Security

1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])

2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE

A New Kind of LWE Cryptosystem

I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)

n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext

q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])

I Decrypt: recover m from c2 − c1 × s.

8 / 12 But only O˜(n) key size, Enc, Dec for n-bit message.

Proof of CPA Security

1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])

2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE

A New Kind of LWE Cryptosystem

I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)

n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext

q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])

I Decrypt: recover m from c2 − c1 × s.

I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!?

8 / 12 Proof of CPA Security

1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])

2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE

A New Kind of LWE Cryptosystem

I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)

n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext

q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])

I Decrypt: recover m from c2 − c1 × s.

I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!? But only O˜(n) key size, Enc, Dec for n-bit message.

8 / 12 A New Kind of LWE Cryptosystem

I Secret key: ‘short’ s ∈ Rq. Public key: (a , b = a × s + e)

n I Encrypt m ∈ {0, 1} : choose ‘short’ t ∈ Rq. Output ciphertext

q (c1, c2) = (a × t + e1 , b × t + e2 + m · [ 2 ]) q ≈ (a × t , a × s × t + m · [ 2 ])

I Decrypt: recover m from c2 − c1 × s.

I Works just like subset-sum encryption [LPS’10] and . . . ElGamal ?!? But only O˜(n) key size, Enc, Dec for n-bit message.

Proof of CPA Security

1 Public key (a, b) ≈c (a, b) by decision Ring-LWE (even for ‘short’ s [ACPS’09])

2 Ciphertext (c1, c2) ≈c (c1, c2), again by decision Ring-LWE

8 / 12 I Proof follows the outline of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.

I New reduction technique for ‘clearing the ideal’(I/qI 7→ R/qR), in an ‘algebra-preserving’ way. Uses Chinese remainder theorem and theory of duality for ideals.

Hardness of Search Ring-LWE

Theorem 1 For any large enough q, solving search Ring-LWE is as hard as quantumly solving poly(n)-approx SVP in any (worst-case) ideal lattice from the ring.

9 / 12 I New reduction technique for ‘clearing the ideal’(I/qI 7→ R/qR), in an ‘algebra-preserving’ way. Uses Chinese remainder theorem and theory of duality for ideals.

Hardness of Search Ring-LWE

Theorem 1 For any large enough q, solving search Ring-LWE is as hard as quantumly solving poly(n)-approx SVP in any (worst-case) ideal lattice from the ring.

I Proof follows the outline of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.

9 / 12 Hardness of Search Ring-LWE

Theorem 1 For any large enough q, solving search Ring-LWE is as hard as quantumly solving poly(n)-approx SVP in any (worst-case) ideal lattice from the ring.

I Proof follows the outline of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.

I New reduction technique for ‘clearing the ideal’(I/qI 7→ R/qR), in an ‘algebra-preserving’ way. Uses Chinese remainder theorem and theory of duality for ideals.

9 / 12 I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

Both + and × are coordinate-wise! Nice geometric behavior.

n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

n To get ideal lattices, embed R and its ideals into R . How?

A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

10 / 12 + is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

Both + and × are coordinate-wise! Nice geometric behavior.

n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

n To get ideal lattices, embed R and its ideals into R . How?

10 / 12 I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

Both + and × are coordinate-wise! Nice geometric behavior.

n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

n To get ideal lattices, embed R and its ideals into R . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

10 / 12 Both + and × are coordinate-wise! Nice geometric behavior.

n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

n To get ideal lattices, embed R and its ideals into R . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

10 / 12 n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

Both + and × are coordinate-wise! Nice geometric behavior.

A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

n To get ideal lattices, embed R and its ideals into C . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

10 / 12 n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

n To get ideal lattices, embed R and its ideals into C . How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

Both + and × are coordinate-wise! Nice geometric behavior.

10 / 12 A Word on Ideal Lattices

n k I Recall example ring R = Z[x]/(x + 1) for n = 2 . I An ideal I ⊆ R is closed under + and −, and under × with R.

n To get ideal lattices, embed R and its ideals into Zq. How? I [HPS’98,M’02,PR’06,LM’06,G’09,. . . ]:‘coefficient embedding’

n−1 n a(x) = a0 + a1x + ··· + an−1x 7→ (a0,..., an−1) ∈ Z

+ is coordinate-wise, but analyzing × is cumbersome (esp. for rv’s)

I [Minkowski’18??,. . . ]:‘canonical embedding.’ Let ω = exp(πi/n):

1 3 2n−1 n a(x) 7→ (a(ω ) , a(ω ) ,..., a(ω )) ∈ C

Both + and × are coordinate-wise! Nice geometric behavior.

n 2i−1 I Modulo any prime q = 1 mod 2n, (x + 1) has n roots ω ∈ Zq. n For Ring-LWE schemes, this gives an embedding into Zq.

10 / 12 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots? Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n.

Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

11 / 12 Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)

1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?

Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n.

11 / 12 Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)

2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?

Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1.

11 / 12 Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)

j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?

Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]).

11 / 12 (Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)

Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots?

11 / 12 (Math jargon: use the automorphism (Galois) group of the cyclotomic number field.)

Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots? Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

11 / 12 Pseudorandomness of Ring-LWE Theorem 2 n Solving decision Ring-LWE in Rq = Zq[x]/(x + 1) (for any poly(n)-bounded prime q = 1 mod 2n) is as hard as solving search Ring-LWE.

Proof Outline Given: O distinguishes samples (a, b ≈ a × s) from uniform (a, b). 2j−1 Goal: Find s ∈ Rq. Equivalent to finding s(ω ) ∈ Zq for j = 1,..., n. 1 1 3 1 Hybrid argument: randomize b(ω ) ∈ Zq, then (b(ω ), b(ω )),... Then O must distinguish relative to some ω2i−1. 2i−1 2 Using O, guess-and-check to find s(ω ) ∈ Zq (a la [BFKL’93,R’05]). j− 3 How to find other s(ω2 1)? Couldn’t O be useless on other roots? Map ω 7→ ωk permutes roots of xn + 1. Can send each to ω2i−1.

(Math jargon: use the automorphism (Galois) group of the cyclotomic number field.) 11 / 12 I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit. I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?) I Questions? More details? Find me here:

Summary and Conclusions

I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case.

12 / 12 I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?) I Questions? More details? Find me here:

Summary and Conclusions

I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case. I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit.

12 / 12 I Questions? More details? Find me here:

Summary and Conclusions

I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case. I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit. I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?)

12 / 12 Summary and Conclusions

I In any cyclotomic ring, Ring-LWE is pseudorandom if ideal lattice problems are (quantumly) hard in the worst case. I Ring-LWE allows for much more compact and efficient encryption schemes than standard LWE. E.g., PKE in O˜(1) work per message bit. I Main open direction: develop new kinds of constructions unlike those based on standard LWE (e.g., fully homomorphic PKE?) I Questions? More details? Find me here:

12 / 12