Ideal Lattices and Ring-LWE: Overview and Open Problems
Chris Peikert Georgia Institute of Technology
ICERM 23 April 2015
1 / 16 Agenda
1 Ring-LWE and its hardness from ideal lattices
2 Open questions
Selected bibliography: LPR’10 V. Lyubashevsky, C. Peikert, O. Regev. “On Ideal Lattices and Learning with Errors Over Rings,” Eurocrypt’10 and JACM’13. LPR’13 V. Lyubashevsky, C. Peikert, O. Regev. “A Toolkit for Ring-LWE Cryptography,” Eurocrypt’13.
2 / 16 1996 NTRU efficient ring-based encryption (heuristic security)
2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)
2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
2008– Countless applications of LWE (still inefficient)
2010 Ring-LWE: efficient encryption, worst-case hardness()
A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
3 / 16 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)
2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
2008– Countless applications of LWE (still inefficient)
2010 Ring-LWE: efficient encryption, worst-case hardness()
A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
1996 NTRU efficient ring-based encryption (heuristic security)
3 / 16 2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
2008– Countless applications of LWE (still inefficient)
2010 Ring-LWE: efficient encryption, worst-case hardness()
A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
1996 NTRU efficient ring-based encryption (heuristic security)
2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)
3 / 16 2008– Countless applications of LWE (still inefficient)
2010 Ring-LWE: efficient encryption, worst-case hardness()
A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
1996 NTRU efficient ring-based encryption (heuristic security)
2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)
2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
3 / 16 2010 Ring-LWE: efficient encryption, worst-case hardness()
A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
1996 NTRU efficient ring-based encryption (heuristic security)
2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)
2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
2008– Countless applications of LWE (still inefficient)
3 / 16 A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
1996 NTRU efficient ring-based encryption (heuristic security)
2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption)
2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
2008– Countless applications of LWE (still inefficient)
2010 Ring-LWE: efficient encryption, worst-case hardness()
3 / 16 √ n ≤ error q
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also a classical reduction for search-LWE [P’09,BLPRS’13]
n I Search: find secret s ∈ Zq given many ‘noisy inner products’
Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n).
4 / 16 I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also a classical reduction for search-LWE [P’09,BLPRS’13]
√ n ≤ error q
Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
n a1 ← Zq ,b 1 ≈ ha1 , si mod q n a2 ← Zq ,b 2 ≈ ha2 , si mod q . .
4 / 16 I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also a classical reduction for search-LWE [P’09,BLPRS’13]
Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
n a1 ← Zq ,b 1 = ha1 , si + e1 ∈ Zq n a2 ← Zq ,b 2 = ha2 , si + e2 ∈ Zq . . √ n ≤ error q
4 / 16 I Also a classical reduction for search-LWE [P’09,BLPRS’13]
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ]
Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . A , b = As + e . . . . √ n ≤ error q
4 / 16 I Also a classical reduction for search-LWE [P’09,BLPRS’13]
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ]
Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . A , b = As + e . . . . √ n ≤ error q
I Decision: distinguish (A , b) from uniform (A , b)
4 / 16 I Also a classical reduction for search-LWE [P’09,BLPRS’13]
Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . A , b = As + e . . . . √ n ≤ error q
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ]
4 / 16 Learning With Errors [Regev’05] I Parameters: dimension n, modulus q = poly(n). n I Search: find secret s ∈ Zq given many ‘noisy inner products’
. . . . A , b = As + e . . . . √ n ≤ error q
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard (. . . maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also a classical reduction for search-LWE [P’09,BLPRS’13]
4 / 16 Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]
Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . .
LWE is Versatile What kinds of crypto can we do with LWE?
5 / 16 Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . .
LWE is Versatile What kinds of crypto can we do with LWE?
Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]
5 / 16 Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . .
LWE is Versatile What kinds of crypto can we do with LWE?
Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]
Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
5 / 16 LWE is Versatile What kinds of crypto can we do with LWE?
Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]
Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . .
5 / 16 I Can amortize each ai over many secrets sj, but still O˜(n) work per scalar output.
I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn } I Can fix A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message
LWE is (Sort Of) Efficient
I Getting one pseudorandom scalar requires an n-dim inner . . product mod q ··· ai ··· s + e = b ∈ Zq . .
6 / 16 I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn } I Can fix A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message
LWE is (Sort Of) Efficient
I Getting one pseudorandom scalar requires an n-dim inner . . product mod q ··· ai ··· s + e = b ∈ Zq I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output.
6 / 16 I Can fix A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message
LWE is (Sort Of) Efficient
I Getting one pseudorandom scalar requires an n-dim inner . . product mod q ··· ai ··· s + e = b ∈ Zq I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output.
I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn }
6 / 16 LWE is (Sort Of) Efficient
I Getting one pseudorandom scalar requires an n-dim inner . . product mod q ··· ai ··· s + e = b ∈ Zq I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output.
I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn } I Can fix A for all users, but still ≥ n2 work to encrypt & decrypt an n-bit message
6 / 16 I Careful! With small error, coordinate-wise multiplication is insecure!
I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom?
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
Wishful Thinking. . .
. . . . Get n pseudorandom scalars . . . . I n from just one (cheap) ai?s+ei = bi ∈ Zq . . . . product operation? . . . .
7 / 16 I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
I Careful! With small error, coordinate-wise multiplication is insecure!
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
Wishful Thinking. . .
. . . . Get n pseudorandom scalars . . . . I n from just one (cheap) ai?s+ei = bi ∈ Zq . . . . product operation? . . . .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom?
7 / 16 I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
Wishful Thinking. . .
. . . . Get n pseudorandom scalars . . . . I n from just one (cheap) ai?s+ei = bi ∈ Zq . . . . product operation? . . . .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!
7 / 16 I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
Wishful Thinking. . .
. . . . Get n pseudorandom scalars . . . . I n from just one (cheap) ai?s+ei = bi ∈ Zq . . . . product operation? . . . .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
7 / 16 Wishful Thinking. . .
. . . . Get n pseudorandom scalars . . . . I n from just one (cheap) ai?s+ei = bi ∈ Zq . . . . product operation? . . . .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q. I Same ring structures used in NTRU cryptosystem [HPS’98], & in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ] 7 / 16 I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq
a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .
Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0
I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
LWE Over Rings, Over Simplified n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
8 / 16 Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0
I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq
a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .
LWE Over Rings, Over Simplified n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
8 / 16 I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0
LWE Over Rings, Over Simplified n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq
a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .
8 / 16 I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
LWE Over Rings, Over Simplified n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq
a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .
Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0
8 / 16 LWE Over Rings, Over Simplified n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = a1 · s + e1 ∈ Rq
a2 ← Rq ,b 2 = a2 · s + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = a3 · s + e3 ∈ Rq . .
Note: (ai,b i) are uniformly random subject to bi − ai · s ≈ 0
I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
8 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
Hardness of Ring-LWE I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
9 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
Hardness of Ring-LWE I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
9 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
I Then:
decision R-LWE ≤ lots of crypto
Hardness of Ring-LWE I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s.
9 / 16 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
Hardness of Ring-LWE I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
9 / 16 Hardness of Ring-LWE I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
9 / 16 1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)
n To get ideal lattices, embed R and its ideals into R . How?
Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
10 / 16 + is coordinate-wise, but analyzing · is cumbersome.
2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)
1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z
Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
n To get ideal lattices, embed R and its ideals into R . How?
10 / 16 2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)
+ is coordinate-wise, but analyzing · is cumbersome.
Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
n To get ideal lattices, embed R and its ideals into R . How? 1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z
10 / 16 Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)
2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C
Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
n To get ideal lattices, embed R and its ideals into R . How? 1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
10 / 16 Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)
Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
n To get ideal lattices, embed R and its ideals into C . How? 1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C
10 / 16 (NB: LWE error distribution is Gaussian in canonical embedding.)
Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
n To get ideal lattices, embed R and its ideals into C . How? 1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise.
10 / 16 Ideal Lattices n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
n To get ideal lattices, embed R and its ideals into R . How? 1 ‘Obvious’ answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 [Minkowski]:‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. (NB: LWE error distribution is Gaussian in canonical embedding.)
10 / 16 I I = hX − 2, −3X + 1i is an ideal in R.
σ(X − 2) σ(−3X + 1)
(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I.
Ideal Lattices 2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i.
σ(X) = (i, −i) σ(1) = (1, 1)
11 / 16 (Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I.
Ideal Lattices 2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i) σ(1) = (1, 1)
σ(X − 2) σ(−3X + 1)
11 / 16 Ideal Lattices 2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i) σ(1) = (1, 1)
σ(X − 2) σ(−3X + 1)
(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I. 11 / 16 I Proof follows the template of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.
I Main technique: ‘clearing ideals’ while preserving R-module structure: I/qI 7→ R/qR, I∨/qI∨ 7→ R∨/qR∨.
Uses Chinese remainder theorem and theory of duality for ideals.
Hardness of Search Ring-LWE
Theorem 1 For any large enough q, solving search R-LWE is as hard as quantumly solving poly(n)-approx SVP
in any (worst-case) ideal lattice in R = OK .
12 / 16 I Main technique: ‘clearing ideals’ while preserving R-module structure: I/qI 7→ R/qR, I∨/qI∨ 7→ R∨/qR∨.
Uses Chinese remainder theorem and theory of duality for ideals.
Hardness of Search Ring-LWE
Theorem 1 For any large enough q, solving search R-LWE is as hard as quantumly solving poly(n)-approx SVP
in any (worst-case) ideal lattice in R = OK .
I Proof follows the template of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.
12 / 16 Hardness of Search Ring-LWE
Theorem 1 For any large enough q, solving search R-LWE is as hard as quantumly solving poly(n)-approx SVP
in any (worst-case) ideal lattice in R = OK .
I Proof follows the template of [Regev’05] for LWE & arbitrary lattices. Quantum component used as ‘black-box;’ only classical part needs adaptation to the ring setting.
I Main technique: ‘clearing ideals’ while preserving R-module structure: I/qI 7→ R/qR, I∨/qI∨ 7→ R∨/qR∨.
Uses Chinese remainder theorem and theory of duality for ideals.
12 / 16 j ∗ I Modulo q, Φm(X) has n = ϕ(m) roots ω , for j ∈ Zm. ∼ n I So there is a ring isomorphism Rq = Zq given by