Hostname: page-component-cd9895bd7-fscjk Total loading time: 0 Render date: 2024-12-26T03:20:24.715Z Has data issue: false hasContentIssue false

On error distributions in ring-based LWE

Published online by Cambridge University Press:  26 August 2016

Wouter Castryck
Affiliation:
KU Leuven ESAT/COSIC and iMinds, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium Vakgroep Wiskunde, Universiteit Gent, Krijgslaan 281/S22, B-9000 Gent, Belgium email wouter.castryck@gmail.com
Ilia Iliashenko
Affiliation:
KU Leuven ESAT/COSIC and iMinds, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium email ilia.iliashenko@esat.kuleuven.be
Frederik Vercauteren
Affiliation:
KU Leuven ESAT/COSIC and iMinds, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium Open Security Research, Fangda 704, 11 Kejinan 12th road, 518000 Shenzhen, China email frederik.vercauteren@gmail.com

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus $q$ and degree $n$ number field $K$, generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod $q$ of a certain fractional ideal ${\mathcal{O}}_{K}^{\vee }\subset K$ called the codifferent or ‘dual’, rather than from the ring of integers ${\mathcal{O}}_{K}$ itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{1/2n}$ with $\unicode[STIX]{x1D6E5}_{K}$ the discriminant of $K$. As a main result, we provide, for any $\unicode[STIX]{x1D700}>0$, a family of number fields $K$ for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by ${|\unicode[STIX]{x1D6E5}_{K}|}^{(1-\unicode[STIX]{x1D700})/n}$.

Type
Research Article
Copyright
© The Author(s) 2016 

References

Brakerski, Z., Gentry, C. and Vaikunthanathan, V., ‘(Leveled) Fully homomorphic encryption without bootstrapping’, Proceedings of the 3rd Innovations in Theoretical Computer Science Conference – ITCS ’12 (ACM, New York, NY, 2012) 309325.CrossRefGoogle Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O. and Stehlé, D., ‘Classical hardness of learning with errors’, ACM Symposium on the Theory of Computing – STOC ’13 (ACM, New York, NY, 2013) 575584.Google Scholar
Brakerski, Z. and Vaikunthanathan, V., ‘Efficient fully homomorphic encryption from (standard) LWE’, Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science – FOCS ’11 (IEEE, Washington, DC, 2011) 97106.Google Scholar
Castryck, W., Iliashenko, I. and Vercauteren, F., ‘Provably weak instances of Ring-LWE revisited’, Advances in cryptology – EUROCRYPT 2016 , Lecture Notes in Computer Science 9665(1) (Springer, New York, NY, 2016) 147167.CrossRefGoogle Scholar
Chen, H., Lauter, K. and Stange, K., ‘Attacks on search RLWE’, Cryptology ePreprint Archive, Report 2015/971 2015.Google Scholar
Chen, H., Lauter, K. and Stange, K., ‘Vulnerable Galois RLWE families and improved attacks’, Proceedings of Selected Areas in Cryptography (SAC 2016, St. John’s, Canada), Lecture Notes in Computer Science (Springer, New York, NY, to appear); Cryptology ePreprint Archive, Report 2016/193 2016.Google Scholar
Crockett, E. and Peikert, C., ‘ $\unicode[STIX]{x1D6EC}\circ \unicode[STIX]{x1D706}$ : A functional library for lattice cryptography’, Cryptology ePreprint Archive, Report 2015/1134 2015.Google Scholar
Davenport, H., Multiplicative number theory , 2nd edn, Graduate Texts in Mathematics 74 (Springer, New York, NY, 2000) (revised by H. Montgomery).Google Scholar
de Smit, B., ‘A differential criterion for complete intersections’, Journées Arithmétiques 1995, Collect. Math. 48 (1997) no. 1–2, 8596.Google Scholar
Eisenträger, K., Hallgren, S. and Lauter, K., ‘Weak instances of PLWE’, Selected areas in cryptography – SAC 2014 , Lecture Notes in Computer Science 8781 (Springer, New York, NY, 2014) 183194.Google Scholar
Elias, Y., Lauter, K., Ozman, E. and Stange, K., ‘Provably weak instances of Ring-LWE’, Advances in cryptology – CRYPTO ’15 , Lecture Notes in Computer Science 9215 (Springer, New York, NY, 2015) 6392.Google Scholar
Fröhlich, A. and Taylor, M., Algebraic number theory , Cambridge Studies in Advances Mathematics 27 (Cambridge University Press, Cambridge, 1991).Google Scholar
Gentry, C., ‘Key recovery and message attacks on NTRU-Composite’, EUROCRYPT ’01 , Lecture Notes in Computer Science 2045 (Springer, New York, NY, 2001) 182194.Google Scholar
Hoffstein, J., Pipher, J. and Silverman, J. H., ‘NTRU: a ring-based public key cryptosystem’, Proceedings of the Third International Symposium on Algorithmic Number Theory – ANTS-III , Lecture Notes in Computer Science 1423 (Springer, New York, NY, 1998) 267288.Google Scholar
Johnston, H., ‘Notes on Galois modules’, Notes accompanying the course ‘Galois Modules’ given in Cambridge (2011), https://www.dpmms.cam.ac.uk/∼hlj31/GM_CourseNotes101.pdf [accessed 22 July 2016].Google Scholar
Lyubashevsky, V., Peikert, C. and Regev, O., ‘On ideal lattices and learning with errors over rings’, J. ACM 60 (2013) no. 6, article 43, 35.Google Scholar
Peikert, C., ‘Public-key cryptosystems from the worst-case shortest vector problem’, ACM Symposium on the Theory of Computing – STOC ’09 (ACM, New York, NY, 2009) 333342.Google Scholar
Peikert, C., ‘How (not) to instantiate Ring-LWE’, Cryptology ePrint Archive, Report 2016/351 2016.Google Scholar
Regev, O., ‘On lattices, learning with errors, random linear codes, and cryptography’, J. ACM 56 (2009) no. 6, article 34, 40.Google Scholar
Shor, P., ‘Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer’, SIAM J. Comput. 26 (1997) no. 5, 14841509.CrossRefGoogle Scholar
Washington, L., Introduction to cyclotomic fields , Graduate Texts in Mathematics 83 (Springer, New York, NY, 1982).Google Scholar