Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

Size: px

Start display at page:

Download "Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3"

Julie Murphy
5 years ago
Views:

1 A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt May 1 / 12

2 A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt May 1 / 12

3 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. 2 / 12

4 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. Many exciting developments in recent years: Encryption [R 05,PW 08,PVW 08,ACPS 09,... ] Signatures [LM 08,GPV 08,L 09,CHKP 10,B 10,GKV 10,BF 11ab,L 12,... ] (H)IBE & FE [GPV 08,CHKP 10,ABB 10,AFV 11,... ] FHE [G 09,vDGHV 10,SV 11,BV 11ab,BGV 12,B 12,... ] Multi-linear maps [GGH 13,CLT 13,... ] 2 / 12

5 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. Many exciting developments in recent years: Encryption [R 05,PW 08,PVW 08,ACPS 09,... ] Signatures [LM 08,GPV 08,L 09,CHKP 10,B 10,GKV 10,BF 11ab,L 12,... ] (H)IBE & FE [GPV 08,CHKP 10,ABB 10,AFV 11,... ] FHE [G 09,vDGHV 10,SV 11,BV 11ab,BGV 12,B 12,... ] Multi-linear maps [GGH 13,CLT 13,... ] Most modern schemes are based on the SIS/LWE problems [A 96,R 05] and/or their ring variants [M 02,PR 06,LM 06,LPR 10]. 2 / 12

6 Lattice- and Ring-Based Cryptography Offers worst-case hardness [Ajtai 96,... ], asymptotic efficiency & parallelism, and (apparent) quantum resistance. Many exciting developments in recent years: Encryption [R 05,PW 08,PVW 08,ACPS 09,... ] Signatures [LM 08,GPV 08,L 09,CHKP 10,B 10,GKV 10,BF 11ab,L 12,... ] (H)IBE & FE [GPV 08,CHKP 10,ABB 10,AFV 11,... ] FHE [G 09,vDGHV 10,SV 11,BV 11ab,BGV 12,B 12,... ] Multi-linear maps [GGH 13,CLT 13,... ] Most modern schemes are based on the SIS/LWE problems [A 96,R 05] and/or their ring variants [M 02,PR 06,LM 06,LPR 10]. SIS/LWE aren t quite practical: Ω(n 2 ) key sizes and runtimes Ring-based primitives are! Õ(n) complexity 2 / 12

7 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. 3 / 12

8 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. 3 / 12

9 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? 3 / 12

10 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 3 / 12

11 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 Applications need (+, )-combinations of errors to remain short, so we can decode them modulo q. Significantly affects security. 3 / 12

12 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 Applications need (+, )-combinations of errors to remain short, so we can decode them modulo q. Significantly affects security. e + e e + e e e n e e. 3 / 12

13 LWE Over Rings, Over-Simplified [LPR 10] Ring R := Z[X]/(1 + X n ) for some n = 2 k, R q := R/qR. For s R q, pairs {(a i, b i )} c uniform {(a i, b i )}: a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. Error ( noise ) terms e(x) R are short. What could this mean? n 1 e(x) = e j X j (e 0, e 1,..., e n 1 ) Z n. j=0 Applications need (+, )-combinations of errors to remain short, so we can decode them modulo q. Significantly affects security. e + e e + e e e n e e. ( Expansion factor n is worst-case, often quite loose.) 3 / 12

14 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. 4 / 12

15 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. 4 / 12

16 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] 4 / 12

17 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] The mth cyclotomic ring: R = Z[X]/Φ m (X) where Φ m (X) = (X ωm) i Z[X], ω m = e 2π 1/m C. i Z m Note: Φ m (X) divides (X m 1), has degree n = ϕ(m) = deg(φ m ). Power Z-basis of R is {1, X, X 2,..., X n 1 }. 4 / 12

18 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] The mth cyclotomic ring: R = Z[X]/Φ m (X) where Φ m (X) = (X ωm) i Z[X], ω m = e 2π 1/m C. i Z m Note: Φ m (X) divides (X m 1), has degree n = ϕ(m) = deg(φ m ). Power Z-basis of R is {1, X, X 2,..., X n 1 }. Examples: Φ 2 k+1(x) = 1 + X 2k, Φ 9 (X) = 1 + X 3 + X 6. 4 / 12

19 More Rings, Please! Rings Z[X]/(1 + X 2k ) don t meet all our needs. They are rare might make keys unnecessarily large in practice. Many schemes cannot use them at all! E.g., SIMD homom. encryption [SV 11] and applications [GHS 12abc] The mth cyclotomic ring: R = Z[X]/Φ m (X) where Φ m (X) = (X ωm) i Z[X], ω m = e 2π 1/m C. i Z m Note: Φ m (X) divides (X m 1), has degree n = ϕ(m) = deg(φ m ). Power Z-basis of R is {1, X, X 2,..., X n 1 }. Examples: Φ 2 k+1(x) = 1 + X 2k, Φ 9 (X) = 1 + X 3 + X 6. Ring-LWE (appropriately defined) is hard in any cyclotomic [LPR 10]... assuming problems on ideal lattices are quantum-hard in the worst case. 4 / 12

20 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). 5 / 12

21 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. 5 / 12

22 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = / 12

23 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? 5 / 12

24 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 5 / 12

25 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 Φ 105 (X): degree 48; 33 monomials with { 2, 1, 1}-coefficients 5 / 12

26 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 Φ 105 (X): degree 48; 33 monomials with { 2, 1, 1}-coefficients Φ (X): highly irregular; large coeffs 5 / 12

27 The Form of Cyclotomic Polynomials For prime p, Φ p (X) = 1 + X + X X p 1 and Φ p e(x) = Φ p (X pe 1 ). Mod-Φ p e(x) reduction is efficient; small(ish) expansion factor. But still not enough: e.g., SIMD FHE likes m = What about non-prime power m? Yuck!!! Φ 21 (X) = 1 X + X 3 X 4 + X 6 X 8 + X 9 X 11 + X 12 Φ 105 (X): degree 48; 33 monomials with { 2, 1, 1}-coefficients Φ (X): highly irregular; large coeffs Irregular Φ m (X) induces cumbersome, slower operations modulo Φ m (X) Large expansion factors up to super-polynomial n ω(1) [Erdős 46] Provable & concrete security also degrade with expansion factor: pay twice! 5 / 12

28 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics 6 / 12

29 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). 6 / 12

30 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. 6 / 12

31 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. Key Ideas 1 In algorithms, use tensorial representations of ring elements. No reduction modulo Φ m (X) in fact, don t need Φ m (X) at all! 6 / 12

32 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. Key Ideas 1 In algorithms, use tensorial representations of ring elements. No reduction modulo Φ m (X) in fact, don t need Φ m (X) at all! 2 In analysis, use canonical embedding to define geometry. 6 / 12

33 Our Contributions A toolkit of simple, fast algorithms and tight error analyses for working with ring-lwe in arbitrary cyclotomics Fast Algorithms: ring operations (+, ); noise generation & decoding; conversions among the best representations for each task. = Runtimes: O(n) per prime divisor of m, or O(n log n). Tight Analysis: same noise growth and worst-case hardness in all cyclotomics; optimal noise tolerance in decoding. = No dependence on the form of m. Key Ideas 1 In algorithms, use tensorial representations of ring elements. No reduction modulo Φ m (X) in fact, don t need Φ m (X) at all! 2 In analysis, use canonical embedding to define geometry. 3 Use decoding basis of dual ideal R for noise generation & decoding. Corresponds to the true definition of ring-lwe. 6 / 12

34 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). 7 / 12

35 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). Ancient Theorem [Kummer, 1840s] Let m = l m l be the prime-power factorization of m. Then the mth cyclotomic ring R = Z[X]/Φ m (X) is isomorphic to the tensor product of all the m l th cyclotomic rings: R = Z[X 1, X 2,...]/(Φ m1 (X 1 ), Φ m2 (X 2 ),...). Isomorphism identifies X l with X m/m l. 7 / 12

36 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). Ancient Theorem [Kummer, 1840s] Let m = l m l be the prime-power factorization of m. Then the mth cyclotomic ring R = Z[X]/Φ m (X) is isomorphic to the tensor product of all the m l th cyclotomic rings: R = Z[X 1, X 2,...]/(Φ m1 (X 1 ), Φ m2 (X 2 ),...). Isomorphism identifies X l with X m/m l. The Powerful Basis It s the natural Z-basis {X j 1 1 Xj 2 2 } = l {Xj l l }, 0 j l < ϕ(m l ). 7 / 12

37 Tensorial Decomposition and the Powerful Basis Recall: Φ p (X) = 1 + X + + X p 1 and Φ p e(x) = Φ p (X pe 1 ). Ancient Theorem [Kummer, 1840s] Let m = l m l be the prime-power factorization of m. Then the mth cyclotomic ring R = Z[X]/Φ m (X) is isomorphic to the tensor product of all the m l th cyclotomic rings: R = Z[X 1, X 2,...]/(Φ m1 (X 1 ), Φ m2 (X 2 ),...). Isomorphism identifies X l with X m/m l. The Powerful Basis It s the natural Z-basis {X j 1 1 Xj 2 2 } = l {Xj l l }, 0 j l < ϕ(m l ). It is not the power basis {1, X, X 2,..., X ϕ(m) 1 } of Z[X]/Φ m (X). E.g., for m = 15 it s {X j } for j {0, 3, 5, 6, 8, 9, 11, 14}. 7 / 12

38 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. 8 / 12

39 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. 8 / 12

40 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. 8 / 12

41 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. 8 / 12

42 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. E.g.: simple, fast conversions to/from evaluation (CRT) representation, via sequence of prime-power FFTs. 8 / 12

43 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. E.g.: simple, fast conversions to/from evaluation (CRT) representation, via sequence of prime-power FFTs. Geometry: Norms, singular values, Gram-Schmidt orthogonalization, dual basis, etc. all behave well under tensoring. 8 / 12

44 If You Remember Only One Thing From This Talk... Tensorial decomposition with the powerful basis is algebraically, computationally, and geometrically preferable to Z[X]/Φ m (X) with the power basis. Algebra: Exposes fine-grained structure of the ring and its relationships with other cyclotomic rings. E.g.: has applications in ring-switching [GHPS 12] and new bootstrapping [AP 13] algorithms for FHE. Algorithms: Efficiently reduces all operations to the prime-power case, by dealing with each X l independently. E.g.: simple, fast conversions to/from evaluation (CRT) representation, via sequence of prime-power FFTs. Geometry: Norms, singular values, Gram-Schmidt orthogonalization, dual basis, etc. all behave well under tensoring. E.g.: powerful basis is better-conditioned than power basis. 8 / 12

45 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. 9 / 12

46 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) 9 / 12

47 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. 9 / 12

48 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) 9 / 12

49 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. 9 / 12

50 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. 9 / 12

51 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. Under σ, both + and are coordinate-wise: σ(a b) = σ(a) σ(b). 9 / 12

52 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. Under σ, both + and are coordinate-wise: σ(a b) = σ(a) σ(b). Makes expansion very easy to analyze: e.g., a b 2 a b 2. 9 / 12

53 Geometry of the Ring Consider R = Z[X]/Φ p (X) with power basis {1, X, X 2,..., X p 2 }. Geometrically, associating elements with their coeff vectors is strange: X j (0,..., 0, 1, 0,..., 0), (j = 0,..., p 2) X p 1 ( 1, 1,..., 1) We want a basis-independent geometry. The canonical embedding σ : R C p 1 evaluates at all roots of Φ p : σ(e(x)) = ( e(ωp), 1 e(ωp), 2..., e(ωp p 1 ) ) Define all geometric quantities using σ: e.g., e 2 := σ(e) 2. Nice Features of the Canonical Embedding X j = 1 and X j 2 = p 1 for all j. Under σ, both + and are coordinate-wise: σ(a b) = σ(a) σ(b). Makes expansion very easy to analyze: e.g., a b 2 a b 2. Ring-LWE is provably hard with (spherical) Gaussian noise under σ. 9 / 12

54 Dual Ideal R and Decoding Basis R = Z[X]/Φ p (X) under embedding σ is a lattice in C p 1. R = Z[X]/Φ 3 (X) X 1 X 0 10 / 12

55 Dual Ideal R and Decoding Basis R = Z[X]/Φ p (X) under embedding σ is a lattice in C p 1. Its dual R has Z-basis {d j }, given by σ(d j ), σ(x j ) = δ j,j. We call {d j } the decoding basis. (It also has a tensor form... ) R = Z[X]/Φ 3 (X) X 1 d 1 d 0 X 0 10 / 12

56 Dual Ideal R and Decoding Basis R = Z[X]/Φ p (X) under embedding σ is a lattice in C p 1. Its dual R has Z-basis {d j }, given by σ(d j ), σ(x j ) = δ j,j. We call {d j } the decoding basis. (It also has a tensor form... ) R is a (fractional) ideal, and pr R R, with pr R. R = Z[X]/Φ 3 (X) R R X 1 d 1 d 0 X 0 d 1 d 0 10 / 12

57 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. 11 / 12

58 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. 11 / 12

59 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. 11 / 12

60 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. 11 / 12

61 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. Moreover, e j are optimally small given density of R, because powerful basis {X j } is optimally short given density of R. 11 / 12

62 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. Moreover, e j are optimally small given density of R, because powerful basis {X j } is optimally short given density of R. By contrast, such optimal decoding is not possible for R/qR, because R lacks optimally short elements for its density. 11 / 12

63 Dual Ideal R and Decoding Basis In true ring-lwe, errors are Gaussian over R. In decryption, we need to recover e R, given ē = e mod qr. How: represent ē in decoding basis with Z q -coeffs, then lift to Z. Key Facts For short e R (under σ), coeffs in decoding basis {d j } are small: e = j e jd j (e j Z) = e j = σ(e), σ(x j ) e n. Moreover, e j are optimally small given density of R, because powerful basis {X j } is optimally short given density of R. By contrast, such optimal decoding is not possible for R/qR, because R lacks optimally short elements for its density. Bottom line: using R is actually beneficial in applications! (And advanced applications benefit even more from its algebraic properties.) 11 / 12

64 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: 12 / 12

65 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, 12 / 12

66 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, 12 / 12

67 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. 12 / 12

68 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. Much more in the paper: regularity lemma, (homomorphic) encryption schemes, implementation advice, / 12

69 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. Much more in the paper: regularity lemma, (homomorphic) encryption schemes, implementation advice,... Implementations coming soon! 12 / 12

70 Concluding Thoughts The right choices of mathematical objects and representations (canonical embedding, R ) (tensor bases) come together perfectly, yielding: provable hardness, fast algorithms, tight analysis no compromises. Much more in the paper: regularity lemma, (homomorphic) encryption schemes, implementation advice,... Implementations coming soon! Thanks! Full version: eprint #2013/ / 12

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions