Ideal Lattices and Ring-LWE: Overview and Open Problems

Chris Peikert Georgia Institute of Technology

ICERM 23 April 2015

1 / 16 Agenda

1 Ring-LWE and its hardness from ideal lattices

2 Open questions

Selected bibliography: LPR’10 V. Lyubashevsky, C. Peikert, O. Regev. “On Ideal Lattices and Learning with Errors Over Rings,” Eurocrypt’10 and JACM’13. LPR’13 V. Lyubashevsky, C. Peikert, O. Regev. “A Toolkit for Ring-LWE Cryptography,” Eurocrypt’13.

2 / 16 1996 NTRU eﬃcient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)

2005 Regev’s LWE: encryption with worst-case hardness (ineﬃcient)

2008– Countless applications of LWE (still ineﬃcient)

2010 Ring-LWE: eﬃcient encryption, worst-case hardness()

A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very ineﬃcient)

3 / 16 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)

2005 Regev’s LWE: encryption with worst-case hardness (ineﬃcient)

2008– Countless applications of LWE (still ineﬃcient)

2010 Ring-LWE: eﬃcient encryption, worst-case hardness()

A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very ineﬃcient)

1996 NTRU eﬃcient ring-based encryption (heuristic security)

3 / 16 2005 Regev’s LWE: encryption with worst-case hardness (ineﬃcient)

2008– Countless applications of LWE (still ineﬃcient)

2010 Ring-LWE: eﬃcient encryption, worst-case hardness()

A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very ineﬃcient)

1996 NTRU eﬃcient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)

3 / 16 2008– Countless applications of LWE (still ineﬃcient)

2010 Ring-LWE: eﬃcient encryption, worst-case hardness()

A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very ineﬃcient)

1996 NTRU eﬃcient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)

2005 Regev’s LWE: encryption with worst-case hardness (ineﬃcient)

3 / 16 2010 Ring-LWE: eﬃcient encryption, worst-case hardness()

A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very ineﬃcient)

1996 NTRU eﬃcient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)

2005 Regev’s LWE: encryption with worst-case hardness (ineﬃcient)

2008– Countless applications of LWE (still ineﬃcient)

3 / 16 A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very ineﬃcient)

1996 NTRU eﬃcient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)

2005 Regev’s LWE: encryption with worst-case hardness (ineﬃcient)

2008– Countless applications of LWE (still ineﬃcient)

2010 Ring-LWE: eﬃcient encryption, worst-case hardness()

3 / 16 √ n ≤ error q

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also a classical reduction for search-LWE [P’09,BLPRS’13]

n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n).

4 / 16 I Decision: distinguish (A , b) from uniform (A , b)

√ n ≤ error q

Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

n a1 ← Zq ,b 1 ≈ ha1 , si mod q n a2 ← Zq ,b 2 ≈ ha2 , si mod q . .

4 / 16 I Decision: distinguish (A , b) from uniform (A , b)

Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

n a1 ← Zq ,b 1 = ha1 , si + e1 ∈ Zq n a2 ← Zq ,b 2 = ha2 , si + e2 ∈ Zq . . √ n ≤ error q

4 / 16 I Also a classical reduction for search-LWE [P’09,BLPRS’13]

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ]

Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .      A  , b = As + e  .   .  . . √ n ≤ error q

4 / 16 I Also a classical reduction for search-LWE [P’09,BLPRS’13]

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ]

Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .      A  , b = As + e  .   .  . . √ n ≤ error q

I Decision: distinguish (A , b) from uniform (A , b)

4 / 16 I Also a classical reduction for search-LWE [P’09,BLPRS’13]

Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .      A  , b = As + e  .   .  . . √ n ≤ error q

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ]

4 / 16 Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: ﬁnd secret s ∈ Zq given many ‘noisy inner products’

 .   .  . .      A  , b = As + e  .   .  . . √ n ≤ error q

I Decision: distinguish (A , b) from uniform (A , b)

4 / 16 Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]

Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . .

LWE is Versatile What kinds of crypto can we do with LWE?

5 / 16 Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

LWE is Versatile What kinds of crypto can we do with LWE?

Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]

5 / 16 Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . .

LWE is Versatile What kinds of crypto can we do with LWE?

Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]

Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

5 / 16 LWE is Versatile What kinds of crypto can we do with LWE?

Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]

Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]

5 / 16 I Can amortize each ai over many secrets sj, but still O˜(n) work per scalar output.

I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn } I Can ﬁx A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message

LWE is (Sort Of) Eﬃcient

I Getting one pseudorandom scalar requires an n-dim inner . . product mod q   ··· ai ··· s + e = b ∈ Zq . .

6 / 16 I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn } I Can ﬁx A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message

LWE is (Sort Of) Eﬃcient

I Getting one pseudorandom scalar requires an n-dim inner . . product mod q   ··· ai ··· s + e = b ∈ Zq   I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output.

6 / 16 I Can ﬁx A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message

LWE is (Sort Of) Eﬃcient

I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn }

6 / 16 LWE is (Sort Of) Eﬃcient

I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn } I Can ﬁx A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message

6 / 16 I Careful! With small error, coordinate-wise multiplication is insecure!

I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

Question

I How to deﬁne the product ‘?’ so that (ai, bi) is pseudorandom?

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

Wishful Thinking. . .

 .  .  .   .  Get n pseudorandom scalars . . . . I         n from just one (cheap) ai?s+ei = bi ∈ Zq  .  .  .   .  product operation? . . . .

7 / 16 I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

I Careful! With small error, coordinate-wise multiplication is insecure!

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

Wishful Thinking. . .

Question

I How to deﬁne the product ‘?’ so that (ai, bi) is pseudorandom?

7 / 16 I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

Wishful Thinking. . .

Question

I How to deﬁne the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!

7 / 16 I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

Wishful Thinking. . .

Question

I How to deﬁne the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

7 / 16 Wishful Thinking. . .

Question

I How to deﬁne the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q. I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ] 7 / 16 I Search: ﬁnd secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq

a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .

Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0

I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

F Elements of Rq are deg < n polynomials with mod-q coeﬃcients

F Operations in Rq are very eﬃcient using FFT-like algorithms

LWE Over Rings, Over Simpliﬁed n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

8 / 16 Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0

I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

I Search: ﬁnd secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq

a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .

LWE Over Rings, Over Simpliﬁed n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coeﬃcients

F Operations in Rq are very eﬃcient using FFT-like algorithms

8 / 16 I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0

LWE Over Rings, Over Simpliﬁed n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coeﬃcients

F Operations in Rq are very eﬃcient using FFT-like algorithms

I Search: ﬁnd secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq

a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .

8 / 16 I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

LWE Over Rings, Over Simpliﬁed n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coeﬃcients

F Operations in Rq are very eﬃcient using FFT-like algorithms

I Search: ﬁnd secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq

a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .

Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0

8 / 16 LWE Over Rings, Over Simpliﬁed n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coeﬃcients

F Operations in Rq are very eﬃcient using FFT-like algorithms

I Search: ﬁnd secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq

a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .

Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0

I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

8 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

1 If you can ﬁnd s given (ai ,b i), then you can ﬁnd approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can ﬁnd s. I Then:

decision R-LWE ≤ lots of crypto

Hardness of Ring-LWE I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

9 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can ﬁnd s. I Then:

decision R-LWE ≤ lots of crypto

Hardness of Ring-LWE I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can ﬁnd s given (ai ,b i), then you can ﬁnd approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

9 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

I Then:

decision R-LWE ≤ lots of crypto

Hardness of Ring-LWE I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can ﬁnd s given (ai ,b i), then you can ﬁnd approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can ﬁnd s.

9 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

Hardness of Ring-LWE I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can ﬁnd s given (ai ,b i), then you can ﬁnd approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can ﬁnd s. I Then:

decision R-LWE ≤ lots of crypto

9 / 16 Hardness of Ring-LWE I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can ﬁnd s given (ai ,b i), then you can ﬁnd approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can ﬁnd s. I Then:

decision R-LWE ≤ lots of crypto

F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

9 / 16 1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)

n To get ideal lattices, embed R and its ideals into R . How?

Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

10 / 16 + is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)

1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z

Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

n To get ideal lattices, embed R and its ideals into R . How?

10 / 16 2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)

+ is coordinate-wise, but analyzing · is cumbersome.

Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

n To get ideal lattices, embed R and its ideals into R . How? 1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z

10 / 16 Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)

2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C

Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

n To get ideal lattices, embed R and its ideals into R . How? 1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

10 / 16 Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)

Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

n To get ideal lattices, embed R and its ideals into C . How? 1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C

10 / 16 (NB: LWE error distribution is Gaussian in canonical embedding.)

Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

n To get ideal lattices, embed R and its ideals into C . How? 1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise.

10 / 16 Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

n To get ideal lattices, embed R and its ideals into R . How? 1 ‘Obvious’ answer: ‘coeﬃcient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)

10 / 16 I I = hX − 2, −3X + 1i is an ideal in R.

σ(X − 2) σ(−3X + 1)

(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, ﬁnd a nearly shortest nonzero a ∈ I.

Ideal Lattices 2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i.

σ(X) = (i, −i) σ(1) = (1, 1)

11 / 16 (Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, ﬁnd a nearly shortest nonzero a ∈ I.

Ideal Lattices 2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.

σ(X) = (i, −i) σ(1) = (1, 1)

σ(X − 2) σ(−3X + 1)

11 / 16 Ideal Lattices 2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.

σ(X) = (i, −i) σ(1) = (1, 1)

σ(X − 2) σ(−3X + 1)

(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, ﬁnd a nearly shortest nonzero a ∈ I. 11 / 16 I Proof follows the template of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.

I Main technique: ‘clearing ideals’ while preserving R-module structure: I/qI 7→ R/qR, I∨/qI∨ 7→ R∨/qR∨.

Uses Chinese remainder theorem and theory of duality for ideals.

Hardness of Search Ring-LWE

Theorem 1 For any large enough q, solving search R-LWE is as hard as quantumly solving poly(n)-approx SVP

in any (worst-case) ideal lattice in R = OK .

12 / 16 I Main technique: ‘clearing ideals’ while preserving R-module structure: I/qI 7→ R/qR, I∨/qI∨ 7→ R∨/qR∨.

Uses Chinese remainder theorem and theory of duality for ideals.

Hardness of Search Ring-LWE

Theorem 1 For any large enough q, solving search R-LWE is as hard as quantumly solving poly(n)-approx SVP

in any (worst-case) ideal lattice in R = OK .

I Proof follows the template of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.

12 / 16 Hardness of Search Ring-LWE

Theorem 1 For any large enough q, solving search R-LWE is as hard as quantumly solving poly(n)-approx SVP

in any (worst-case) ideal lattice in R = OK .

I Proof follows the template of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.

I Main technique: ‘clearing ideals’ while preserving R-module structure: I/qI 7→ R/qR, I∨/qI∨ 7→ R∨/qR∨.

Uses Chinese remainder theorem and theory of duality for ideals.

12 / 16 j ∗ I Modulo q, Φm(X) has n = ϕ(m) roots ω , for j ∈ Zm. ∼ n I So there is a ring isomorphism Rq = Zq given by

j n a(X) ∈ Rq 7→ a(ω ) ∗ ∈ q . j∈Zm Z

Facts Used in the Proof ∗ I Zq has order q − 1 = 0 mod m, so has an element ω of order m.

Hardness of Decision Ring-LWE

Theorem 2 ∼ Solving decision R-LWE in any cyclotomic R = Z[ζm] = Z[X]/Φm(X) (for any poly(n)-bounded prime q = 1 mod m) is as hard as solving search R-LWE.

13 / 16 j ∗ I Modulo q, Φm(X) has n = ϕ(m) roots ω , for j ∈ Zm. ∼ n I So there is a ring isomorphism Rq = Zq given by

j n a(X) ∈ Rq 7→ a(ω ) ∗ ∈ q . j∈Zm Z

Hardness of Decision Ring-LWE

Theorem 2 ∼ Solving decision R-LWE in any cyclotomic R = Z[ζm] = Z[X]/Φm(X) (for any poly(n)-bounded prime q = 1 mod m) is as hard as solving search R-LWE.

Facts Used in the Proof ∗ I Zq has order q − 1 = 0 mod m, so has an element ω of order m.

13 / 16 ∼ n I So there is a ring isomorphism Rq = Zq given by

j n a(X) ∈ Rq 7→ a(ω ) ∗ ∈ q . j∈Zm Z

Hardness of Decision Ring-LWE

Theorem 2 ∼ Solving decision R-LWE in any cyclotomic R = Z[ζm] = Z[X]/Φm(X) (for any poly(n)-bounded prime q = 1 mod m) is as hard as solving search R-LWE.

Facts Used in the Proof ∗ I Zq has order q − 1 = 0 mod m, so has an element ω of order m. j ∗ I Modulo q, Φm(X) has n = ϕ(m) roots ω , for j ∈ Zm.

13 / 16 Hardness of Decision Ring-LWE

Theorem 2 ∼ Solving decision R-LWE in any cyclotomic R = Z[ζm] = Z[X]/Φm(X) (for any poly(n)-bounded prime q = 1 mod m) is as hard as solving search R-LWE.

Facts Used in the Proof ∗ I Zq has order q − 1 = 0 mod m, so has an element ω of order m. j ∗ I Modulo q, Φm(X) has n = ϕ(m) roots ω , for j ∈ Zm. ∼ n I So there is a ring isomorphism Rq = Zq given by

j n a(X) ∈ Rq 7→ a(ω ) ∗ ∈ q . j∈Zm Z

13 / 16 k ∗ ω 7→ ω (k ∈ Zm) permutes roots of Φm(X), and preserves error. So send each ωj to ωj∗ , and use O to ﬁnd s(ωj).

j ∗ 1 Equivalent to finding s(ω ) ∈ Zq for all j ∈ Zm. j 2 Hybrid argument: randomize one b(ω ) ∈ Zq; or two; or three; or . . . Then O must distinguish relative to some ωj∗ . j∗ 3 Using O, guess-and-check to find s(ω ) ∈ Zq. 4 How to find other s(ωj)? Couldn’t O be useless at other roots?

Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

Goal: Find s ∈ Rq, given samples (a,b ≈ a · s).

14 / 16 k ∗ ω 7→ ω (k ∈ Zm) permutes roots of Φm(X), and preserves error. So send each ωj to ωj∗ , and use O to ﬁnd s(ωj).

j 2 Hybrid argument: randomize one b(ω ) ∈ Zq; or two; or three; or . . . Then O must distinguish relative to some ωj∗ . j∗ 3 Using O, guess-and-check to ﬁnd s(ω ) ∈ Zq. 4 How to ﬁnd other s(ωj)? Couldn’t O be useless at other roots?

Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

Goal: Find s ∈ Rq, given samples (a,b ≈ a · s). j ∗ 1 Equivalent to ﬁnding s(ω ) ∈ Zq for all j ∈ Zm.

14 / 16 k ∗ ω 7→ ω (k ∈ Zm) permutes roots of Φm(X), and preserves error. So send each ωj to ωj∗ , and use O to ﬁnd s(ωj).

j∗ 3 Using O, guess-and-check to ﬁnd s(ω ) ∈ Zq. 4 How to ﬁnd other s(ωj)? Couldn’t O be useless at other roots?

Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

14 / 16 k ∗ ω 7→ ω (k ∈ Zm) permutes roots of Φm(X), and preserves error. So send each ωj to ωj∗ , and use O to ﬁnd s(ωj).

4 How to ﬁnd other s(ωj)? Couldn’t O be useless at other roots?

Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

14 / 16 k ∗ ω 7→ ω (k ∈ Zm) permutes roots of Φm(X), and preserves error. So send each ωj to ωj∗ , and use O to ﬁnd s(ωj).

Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

14 / 16 So send each ωj to ωj∗ , and use O to ﬁnd s(ωj).

Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

14 / 16 Hardness of Decision Ring-LWE

Theorem 2 Solving decision Ring-LWE in Rq = Zq[X]/Φm(X) is as hard as solving search Ring-LWE.

Proof Sketch Given: O distinguishes samples (a,b ≈ a · s) from uniform (a,b ).

Goal: Find s ∈ Rq, given samples (a,b ≈ a · s). j ∗ 1 Equivalent to finding s(ω ) ∈ Zq for all j ∈ Zm. j 2 Hybrid argument: randomize one b(ω ) ∈ Zq; or two; or three; or . . . Then O must distinguish relative to some ωj∗ . j∗ 3 Using O, guess-and-check to find s(ω ) ∈ Zq. 4 How to find other s(ωj)? Couldn’t O be useless at other roots? k ∗ ω 7→ ω (k ∈ Zm) permutes roots of Φm(X), and preserves error. So send each ωj to ωj∗ , and use O to find s(ωj). 14 / 16 Decision-S-LWE easily broken, but search unaffected. [EHL’14,ELOS’15] “cyclotomic fields, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors!

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

15 / 16 Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15] “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors!

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

15 / 16 Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15] “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors!

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

15 / 16 Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15] “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors!

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

15 / 16 Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15] “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

F Probably not, for carefully constructed rings S, moduli q, and errors!

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

F Yes, for any Galois number ﬁeld (identical proof).

15 / 16 Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15] “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors!

15 / 16 “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors! Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15]

15 / 16 Open Problems: Reductions

1 Search-R-LWE is quantumly at least as hard as approx-R-SVP. Is there a classical reduction?

F [P’09] reduces GapSVP (i.e., estimate λ1(L)) on general lattices to plain-LWE, classically.

F But estimating λ1(L) is trivially easy on ideal lattices! Finding short vectors is what appears hard.

2 Search- and decision-R-LWE are equivalent in cyclotomic R. Does this hold in other kinds of rings?

F Yes, for any Galois number ﬁeld (identical proof).

F Probably not, for carefully constructed rings S, moduli q, and errors! Decision-S-LWE easily broken, but search unaﬀected. [EHL’14,ELOS’15] “cyclotomic ﬁelds, used for Ring-LWE, are uniquely protected against the attacks presented in this paper”

15 / 16 F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

16 / 16 F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

16 / 16 F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

16 / 16 F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

16 / 16 F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

16 / 16 F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

16 / 16 Open Problems: Attacks

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

F R-LWE samples (ai,b i)i=1,...,` don’t readily translate to ideals in R.

F They do yield a BDD instance on an R-module lattice:

` L = (vi): vi = ai · z (mod qR) ⊆ R

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)

F Despite abundant ring structure (e.g., subﬁelds, Galois), no substantial improvement over attacks on general lattices.

F Next up: attacks on a specialized variant: given a principal ideal I guaranteed to have an “unusually short” generator, ﬁnd it.

F These conditions are extremely rare for general ideals, so (worst-case) approx-R-SVP is unaﬀected.

16 / 16