On the Ring-LWE and Polynomial-LWE problems

Size: px

Start display at page:

Download "On the Ring-LWE and Polynomial-LWE problems"

Charleen Clark
5 years ago
Views:

1 On the Ring-LWE and Polynomial-LWE problems Miruna Rosca Damien Stehlé Alexandre Wallet EUROCRYPT 2018 Miruna Rosca EUROCRYPT / 14

2 Lattices and hard problems Lattice Let b 1, b 2,..., b n R n be some linearly independent vectors. The set L(B) = {x 1 b 1 +x 2 b 2 + +x n b n : x i Z} = is called the lattice generated by them. Approx SVP γ Find a nonzero x Z n s.t. B x < γ min( B y : y Z n ). * some of the gures borrowed from A. Wallet Miruna Rosca EUROCRYPT / 14

3 How to use lattices for crypto? Miruna Rosca EUROCRYPT / 14

4 How to use lattices for crypto? Learning with Errors: Search: Find s. Decision: Distinguish this distribution from the uniform one. Miruna Rosca EUROCRYPT / 14

5 How to use lattices for crypto? eciency? Learning with Errors: Search: Find s. Decision: Distinguish this distribution from the uniform one. Miruna Rosca EUROCRYPT / 14

6 More structure: PLWE, RLWE, RLWE [SSTX09],[LPR10] f monic, deg. n, irred. R := Z[x]/f PLWE s R q := R/qR B s,σ distribution a U(R q ) e D Σ (a, b = a s + e mod qr) Miruna Rosca EUROCRYPT / 14

7 More structure: PLWE, RLWE, RLWE [SSTX09],[LPR10] K := Q[x]/f f monic, deg. n, irred. R := Z[x]/f n eld embeddings: σ j canonical embedding: σ(a) = (σ 1 (a),..., σ n(a)) H = {(v 1,..., v n) R s 1 C 2s 2 : v i+s1 +s 2 = v i+s1 } H = Span{h i } i { DΣ H : x D Σ output x i h i O K ring of integers of K, O K the dual of O K PLWE s R q := R/qR B s,σ distribution a U(R q ) e D Σ (a, b = a s + e mod qr) Miruna Rosca EUROCRYPT / 14

8 More structure: PLWE, RLWE, RLWE [SSTX09],[LPR10] K := Q[x]/f f monic, deg. n, irred. R := Z[x]/f n eld embeddings: σ j canonical embedding: σ(a) = (σ 1 (a),..., σ n(a)) H = {(v 1,..., v n) R s 1 C 2s 2 : v i+s1 +s 2 = v i+s1 } H = Span{h i } i { DΣ H : x D Σ output x i h i O K ring of integers of K, O K the dual of O K PLWE RLWE RLWE s R q := R/qR s O K,q := O K /qo K s O K,q := O K /qo K B s,σ distribution a U(R q ) e D Σ (a, b = a s + e mod qr) A s,σ distribution a U(O K,q ) e D H Σ (a, b = a s + e mod qo K) A s,σ distribution a U(O K,q ) e D H Σ (a, b = a s + e mod qo K) Miruna Rosca EUROCRYPT / 14

9 State of the art and Contributions ApproxSIVP (OK-modules) ApproxSVP (OK-ideals) [LS15] decision Module-LWE [AD17] [PRS17] decision RLWE search RLWE decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision MPLWE search MPLWE Miruna Rosca EUROCRYPT / 14

10 State of the art and Contributions ApproxSIVP (OK-modules) ApproxSVP (OK-ideals) [LS15] decision Module-LWE [AD17] [PRS17] decision RLWE search RLWE decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision MPLWE search MPLWE Miruna Rosca EUROCRYPT / 14

11 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) Miruna Rosca EUROCRYPT / 14

12 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) A s,σ to A s,σ If (a, b) A s,σ : tb = a(ts) + te, te DΣ H Σ = diag [ σ i (t) ] Σ diag [ σ i (t) ] uniform to uniform If (a, b) uniform: (a, tb) uniform Miruna Rosca EUROCRYPT / 14

13 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) A s,σ to A s,σ If (a, b) A s,σ : tb = a(ts) + te, te DΣ H Σ = diag [ σ i (t) ] Σ diag [ σ i (t) ] uniform to uniform If (a, b) uniform: (a, tb) uniform Does such a t exist? Miruna Rosca EUROCRYPT / 14

14 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) A s,σ to A s,σ If (a, b) A s,σ : tb = a(ts) + te, te DΣ H Σ = diag [ σ i (t) ] Σ diag [ σ i (t) ] uniform to uniform If (a, b) uniform: (a, tb) uniform Does such a t exist? How large is te? Miruna Rosca EUROCRYPT / 14

15 Control the size of t [LPR10] Compute t in poly(n)-time using CRT. Existence Size Miruna Rosca EUROCRYPT / 14

16 Control the size of t [LPR10] Compute t in poly(n)-time using CRT. Existence Size New result By Gaussian sampling on (O K ) 1, we can nd t with small σ(t). 1 Existence Size Idea: show that short vectors are not all trapped in (O K ) 1 J for J a divisor of (q). 1 It requires advice on the number eld. Miruna Rosca EUROCRYPT / 14

17 From RLWE to PLWE New result We can nd t in the conductor ideal C R := {t K : to K R} s.t. [ t] : O K,q R q and σ(t) is small. R? O K C R If C R coprime to qo K then O K,q C R /qc R R q. Miruna Rosca EUROCRYPT / 14

18 From RLWE to PLWE New result We can nd t in the conductor ideal C R := {t K : to K R} s.t. [ t] : O K,q R q and σ(t) is small. R? O K C R If C R coprime to qo K then O K,q C R /qc R R q. θ t : OK,q OK,q Rq Rq (a, b) (ta, t 2 b mod q) If (a, b) A s,σ : A s,σ to B s,σ t 2 b = (ta)(ts) + t 2 e uniform to uniform If (a, b) uniform: (ta, t 2 b) uniform Miruna Rosca EUROCRYPT / 14

19 Is this really PLWE? Not yet. e = t 2 e D H Σ t, where Σ t = diag[ σ i (t) 2 ] Σ diag[ σ i (t) 2 ]. The embedding of the error is small in H! Miruna Rosca EUROCRYPT / 14

20 Is this really PLWE? Not yet. e = t 2 e D H Σ t, where Σ t = diag[ σ i (t) 2 ] Σ diag[ σ i (t) 2 ]. The embedding of the error is small in H! Minkowski vs. Coecient embeddings: 1 α 1 α α n α 2 α α n 1 2 σ(a) = V f a, with V f = α n α 2 n... αn n 1 The α i 's are the roots of the polynomial f. Miruna Rosca EUROCRYPT / 14

21 How small is the coecient embedding? New noise: V f 1 σ(e ) D Σ, with Σ = V f Σ t V 1 f The distorsion introduced by V 1 f could be: too large reasonable too skew Miruna Rosca EUROCRYPT / 14

22 How to get a small distorsion? V 1 f small for f := X n c Z[X]. Miruna Rosca EUROCRYPT / 14

23 How to get a small distorsion? V 1 f small for f := X n c Z[X]. Can we nd more polynomials? V 1 f = ( Si,j j ), where j = k j (α k α j ). i,j Miruna Rosca EUROCRYPT / 14

24 How to get a small distorsion? V 1 f small for f := X n c Z[X]. Can we nd more polynomials? V 1 f = ( Si,j j ), where j = k j (α k α j ). i,j Idea: Try to apply a small perturbation on the roots of f and keep the norm small. Miruna Rosca EUROCRYPT / 14

25 Lots of polynomials f = X n c Z[X] Take P = n/2 i=1 p ix i Z[X] Perturbation: g := f + P Technique: Rouché theorem New result For every such g Z[X], we have that poly(n). V 1 g Miruna Rosca EUROCRYPT / 14

26 Search to decision New result There is a probabilistic poly. time reduction from search RLWE/RLWE to decision RLWE/RLWE. Miruna Rosca EUROCRYPT / 14

27 Search to decision New result There is a probabilistic poly. time reduction from search RLWE/RLWE to decision RLWE/RLWE. Technique: prove a LHL variant over rings and use it to create new samples Miruna Rosca EUROCRYPT / 14

28 Search to decision New result There is a probabilistic poly. time reduction from search RLWE/RLWE to decision RLWE/RLWE. Technique: prove a LHL variant over rings and use it to create new samples nd good approx. of the error by using the OHCP technique from [PRS17] nd the secret Miruna Rosca EUROCRYPT / 14

29 ApproxSIVP (OK-modules) ApproxSVP (OK-ideals) [LS15] decision Module-LWE [AD17] [PRS17] decision RLWE search RLWE decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision MPLWE search MPLWE Thank you. Miruna Rosca EUROCRYPT / 14

On the Ring-LWE and Polynomial-LWE Problems

On the Ring-LWE and Polynomial-LWE Problems Miruna Rosca 1,2, Damien Stehlé 1, and Alexandre Wallet 1 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France 2 Bitdefender, Romania Abstract.