Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm
Katherine E. Stange

TL;DR
This paper introduces a reduction technique for Ring-LWE problems using ring-structured samples and proposes Ring-BKW, a ring-aware variant of the BKW algorithm, enhancing efficiency and parallelization for cryptographic applications.
Contribution
It presents a novel reduction of Ring-LWE to subring problems and introduces Ring-BKW, a ring-structured BKW algorithm that improves efficiency and parallelization.
Findings
Reduction of Ring-LWE to subring problems using restricted samples
Ring-BKW algorithm respects ring structure and enables parallelization
Exploits symmetry to reduce computational resources
Abstract
We provide a reduction of the Ring-LWE problem to Ring-LWE problems in subrings, in the presence of samples of a restricted form (i.e. such that is restricted to a multiplicative coset of the subring). To create and exploit such restricted samples, we propose Ring-BKW, a version of the Blum-Kalai-Wasserman algorithm which respects the ring structure. Off-the-shelf BKW dimension reduction (including coded-BKW and sieving) can be used for the reduction phase. Its primary advantage is that there is no need for back-substitution, and the solving/hypothesis-testing phase can be parallelized. We also present a method to exploit symmetry to reduce table sizes, samples needed, and runtime during the reduction phase. The results apply to two-power cyclotomic Ring-LWE with parameters proposed for practical use (including all splitting types).
| , , | Ring-blind | Algorithm 2 | Algorithm 3 |
|---|---|---|---|
| Initial Samples | |||
| OD Table Size | |||
| OD Reduced Samples | |||
| OD Runtime | s | s | s |
| AD Table Size | |||
| AD Reduced Samples | |||
| AD Runtime | s | s | s |
| , , | Ring-blind | Algorithm 2 | Algorithm 3 |
| Initial Samples | |||
| OD Table Size | |||
| OD Reduced Samples | |||
| OD Runtime | s | s | s |
| AD Table Size | |||
| AD Reduced Samples | |||
| AD Runtime | s | s | s |
| , , | Ring-blind | Algorithm 2 | Algorithm 3 |
| Samples | |||
| OD Table Size | |||
| OD Reduced Samples | |||
| OD Runtime | s | s | s |
| , , | Ring-blind | Algorithm 2 | Algorithm 3 |
| Samples | |||
| OD Table Size | |||
| OD Reduced Samples | |||
| OD Runtime | s | s | s |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm
Katherine E. Stange
Department of Mathematics, University of Colorado, Campux Box 395, Boulder, Colorado 80309-0395
Abstract.
We provide a reduction of the Ring-LWE problem to Ring-LWE problems in subrings, in the presence of samples of a restricted form (i.e. such that is restricted to a multiplicative coset of the subring). To create and exploit such restricted samples, we propose Ring-BKW, a version of the Blum-Kalai-Wasserman algorithm which respects the ring structure. Off-the-shelf BKW dimension reduction (including coded-BKW and sieving) can be used for the reduction phase. Its primary advantage is that there is no need for back-substitution, and the solving/hypothesis-testing phase can be parallelized. We also present a method to exploit symmetry to reduce table sizes, samples needed, and runtime during the reduction phase. The results apply to two-power cyclotomic Ring-LWE with parameters proposed for practical use (including all splitting types).
Key words and phrases:
Ring learning with errors, Ring-LWE, Blum-Kalai-Wasserman, post-quantum cryptography, cyclotomic field
2010 Mathematics Subject Classification:
Primary: 94A60, 11T71, 11R18
This research was supported by NSF-CAREER CNS-1652238 and NSF EAGER DMS-1643552.
1. Introduction
Ring Learning with Errors (Ring-LWE) [24] [25], and Learning with Errors (LWE) [27] more generally, are leading candidates for post-quantum cryptography. The cryptographic hard problem (Search Ring-LWE) is formally similar to discrete logarithm problems, so that protocols can be transferred from the latter context to the former. But it also allows for new applications, such as homomorphic encryption [8]. Ring-LWE is also fortunate in having security reductions from other lattice problems.
Ring-LWE is distinguished from Learning with Errors (LWE) by the use of lattices from number fields. This injection of number-theoretical structure leads to performance improvements, but may add vulnerabilities. So far, the number-theoretical structure has been only weakly exploited for attacks. The ring structure plays a role in security when the error distribution is skewed [9] [10] [11] [15] [16], or the secret is chosen from a subring or other ring-related non-uniform distribution [7]. In the related NTRU cryptosystem, the norm and trace maps to subfields play a role in attacks [1, 12, 17, 23].
However, the best known attacks on Ring-LWE parameters suggested for implementation are still generic attacks for LWE, e.g. [3]. The Blum-Kalai-Wasserman (BKW) algorithm is one such attack, which proceeds (in the first phase) combinatorially to create new samples in a linear subspace of the original problem, while controlling error expansion [5]. BKW has the drawback of requiring exponentially many samples, unless sample amplification is used [21]. Nevertheless, its performance has been of significant interest: for analysis and recent improvements, see [2] [14] [18] [19] [20] [22]. (Note that sample amplification does not immediately transfer from the LWE to the Ring-LWE setting, at least if one wishes the amplified samples to have Ring-LWE, and not just underlying LWE, format; the analogue would be the ‘sample rotation’ described below.)
This paper focuses on two-power-cyclotomic unital (but equivalently, dual [13] [26]) Search Ring-LWE, with no restriction on the splitting behaviour of the prime . The core of the paper is a reduction from higher-dimensional Ring-LWE problems with samples of a restricted form, to lower-dimensional Ring-LWE problems with the same error width, which is given in Theorem 5.2. The restricted form is as follows: samples such that lies in a cyclotomic subring, or a fixed multiplicative coset of such a subring. In the context of these theorems, it is natural to ask about creating samples of this restricted form using a ring variant of the Blum-Kalai-Wasserman algorithm.
One thus obtains a Ring-BKW algorithm, which uses the reduction phase of BKW, including all known speedups, to reduce the Ring-LWE problem to a subring. Then, the symmetry of the ring structure allows us to engineer an entire suite of subring problems in polynomially more time, whose solutions collectively solve the original Ring-LWE problem, again in polynomial time. Thus, the ‘hypothesis testing’ phase of BKW is parallelized, and the exponential ‘back-substitution’ phase is eliminated (Theorem 5.2). State-of-the-art off-the-shelf code for the BKW reduction phase and hypothesis testing phase may be used. Note that the reduction phase of BKW is the dominant phase for runtime, and hypothesis testing is typically polynomial, but the now-eliminated back-substitution phase runs in time which is also exponential, but differs only by a smaller polynomial factor from the reduction phase; hence the overall runtime savings is a polynomial factor. In Section 8, we describe the Ring-BKW algorithm.
The paper also addresses the use of symmetry to reduce the table sizes in BKW, here termed advanced keying in Section 9. Compared to a BKW reduction phase completely blind to the ring structure, this reduces the table size and samples needed by a factor of the block size, as well as reducing runtime, but requires that block sizes be taken to be a (possibly varying) power of .
We also discuss a square-root speedup over exhaustive search (which may be used, for example, in hypothesis testing); see Corollary 5.3.
See Section 10 for more discussion of practical runtime.
The key theoretical properties which are potentially advantageous (to an attacker) of Ring-LWE vs. plain LWE, are:
- (1)
Ring homomorphisms into smaller instances of the problem (the main tool of [10] [11] [15] [16]). 2. (2)
The ability to rotate samples, e.g. replacing with or , which are different but related Ring-LWE samples (see notation in Section 2); these represent symmetries of the lattice (previously used in lattice sieving [6] [28]; more generally, manipulation of samples by multiplication was exploited in [4]). 3. (3)
The existence of subrings as linear subspaces (which is important in [7]). 4. (4)
More generally, the multiplicative structure of certain linear subspaces. 5. (5)
In the case of 2-power cyclotomics, the orthogonality of the lattice of the ring of integers and the orthogonal nature of the trace.
For us, all five of these attributes play an important role. It is a secondary purpose of this paper to lay out these advantages in a clear manner, to facilitate future analysis of the security of ring aspects of Ring-LWE. See Section 4.
Finally, it is also a secondary purpose of this paper to provide a treatment of the Ring-LWE problem which is inviting to the mathematical community.
Code demonstrating the correctness of the algorithm is available at:
https://math.katestange.net/code/ring-bkw/.
Acknowledgements
First, I would like to thank the anonymous referees on an earlier draft of this paper, who pointed out an important simplification. Second, I would like to thank my mother, Ursula Stange, and my husband, Jonathan Wise, without whose childcare help in the face of snowstorms, viruses, cancellations and fender-benders, this paper simply would not have been completed. To mathematician moms (and dads) everywhere: take heart.
2. Background and Setup for Ring-LWE
It is typical to set notation for Ring-LWE as in, for example, [7]; here we briefly review this notation in our context, and define the Ring-LWE problems.
2.1. Number field and ring
Let be a number field over the rationals, of degree . Then is equipped with a bilinear form given by a modification of the trace pairing,
[TABLE]
Here the sums are over real and complex embeddings, respectively (note that including both elements of each pair of conjugate complex embeddings necessitates the factor of ). This gives an isomorphism of with , taking the pairing above to the standard inner product, and (1) is chosen in such a way that the isomophism is exactly that arising from the Minkowski or canonical embedding of algebraic number theory. We can also denote the norm by .
The ring of integers of forms a lattice in .
2.2. Gaussian distribution
Having geometry (in particular a norm ) on allows us to define Gaussian distributions. For a Gaussian parameter , we write
[TABLE]
Normalizing this to obtain a probability distribution function , we obtain the continuous Gaussian probability distribution of width on , denoted .
Note that, when considered with respect to an orthonormal basis, such a distribution is the sum of independent distributions in each coordinate, each having width . In this paper, we are concerned exclusively with this case.
With this normalization, the variance is , and one standard deviation is . It is a sum of independent Gaussians in each coordinate for which the range corresponds to standard deviations.
In practice, the tails of the Gaussian may be cut off, so that the number of possible values in each coordinate is finite.
One may discretize a Gaussian distribution to obtain a distribution on a lattice . That is, one takes
[TABLE]
and one samples element with probability
[TABLE]
If has an orthonormal basis, then again this distribution consists of independent distributions on the coefficients of the basis.
2.3. Prime and quotient ring
Let be the ideal generated by in . The fundamental setting of the Ring-LWE problem is the ring .
Letting be the unique decomposition of into distinct prime ideals in , the Chinese remainder theorem gives
[TABLE]
If is unramified (which is typically the case), then for all . If is Galois (also typically the case in the cryptographic setting), then the Galois group acts transitively on the and they all have the same residue degree (the residue degree is the dimension of the quotient field as an -vector space).
2.4. Ring-LWE distributions
For any (the secret), and any distribution over (the error distribution), we write for the associated Ring-LWE distribution for secret over , given by sampling uniformly over , sampling from , and outputting .
Such outputs are called samples, and in a crytographic application, these are observed publicly, while the secret is not meant to be exposed.
For the error distribution, we wish to define a ‘small’ distribution on , i.e. concentrated near the origin (in comparison to , which is large). It is typical to choose for the error distribution a discretized Gaussian distribution as described above (considered post factum modulo ). This is the context in which security reductions apply. In implementations, it is sometimes suggested to approximate this by a uniform distribution on a box around the origin, etc.
2.5. Ring-LWE problems
The two fundamental Ring-LWE problems are (a) search: to compute the secret, upon observing sufficiently many samples; or (b) decision: to determine if the samples are hiding a secret at all, as opposed to being random noise. We state them more formally as follows.
Definition 2.1**.**
The search Ring-LWE problem, for error distribution and secret distribution , is as follows: Given an error distribution over and a secret distribution over , and some number of samples drawn from the distribution for some fixed drawn from , compute .
Definition 2.2**.**
The decisional Ring-LWE problem, for error distribution and secret distribution , is as follows: Given an error distribution over and a secret distribution over , distinguish with non-negligible advantage, between
- (1)
samples drawn from the distribution for some fixed drawn from ; and 2. (2)
samples drawn uniformly from .
We remark that Ring-LWE is frequently defined in the context of the dual (the inverse of the different ideal). However, in the case that is a -th cyclotomic field, and this isomorphism is realized as a scaling in the canonical embedding, and thus preserves the error distribution up to scaling, so we can interchange the dual version with the simpler ‘unital’ version considered here [24].
Search-to-decision reductions are known in a variety of contexts [24]. This paper concerns both problems, but especially the search problem.
The Ring-LWE problem is formally similar to the discrete logarithm problem, which could be phrased in terms of samples in a finite field: given , find . In the ring , solving for given can be accomplished using linear algebra (Gaussian elimination), or by multiplication by in the ring. By introducing a small error , so we have , multiplication by is no longer helpful, and Gaussian elimination becomes useless, as it amplifies the errors to the point of washing out all useful information. From another perspective, the security stems from the fact that addition of an error value is somehow unpredictably mixing with respect to the multiplicative structure.
Another consequence of this setup is that given just one sample , one has as many solutions to as there are possible values for . In fact, the problem only has a unique solution once we have enough samples. If the samples are not Ring-LWE samples at all, then with sufficiently many samples, it becomes overwhelmingly likely that there are no values of so that is in the support of the error distribution for all samples . If the samples are Ring-LWE, this is the point at which the true secret is the only solution, with overwhelming probability.
3. Specializing to -power cyclotomic Ring-LWE
We will now specialize to the -power cyclotomic case, fixing values for the variables
[TABLE]
from the last section, and defining
[TABLE]
for the -power cyclotomic case. Whenever we say refer to -power cyclotomic Ring-LWE, we refer to all the conventions in this section.
3.1. Ring
We let and be the -th cyclotomic field and ring of integers, respectively, where is a power of two. This is of dimension (note that ), and can be presented as
[TABLE]
We will use the notation and for a primitive -th root of unity in and for its image in quotients of this ring.
3.2. The -basis for and its quotients
A basis for is
[TABLE]
This will be called the -basis. We have the relation in and in all its quotients (this is the -th cyclotomic polynomial evaluated at ), but the minimal polynomial for varies in these quotients, and may be a proper divisor of this cyclotomic polynomial. Nevertheless, in all quotients of , we still obtain a -basis, i.e. a power basis in terms of .
3.3. Prime
Let be an odd prime, unramified in .
3.4. Ring and further quotients
We consider the quotient ring
[TABLE]
which is an -vector space of dimension . We may use the same -basis for this ring (to be explicit, the images of the basis for under the reduction modulo ).
We may also consider further quotients for . We may also use a -basis for these rings, although it may be of lower dimension over (so fewer powers required). We have
[TABLE]
where . In particular, identifying with its image in , the latter has an -basis .
3.5. Error distribution , coefficient distribution and coefficient support
We will denote the error distribution by . If this error distribution is formed using independent identically distributed coefficients on the -basis, with coefficient distribution supported on a subset , then we say that is formed on the -basis with coefficients distributed according to . This is true, for example, of a discrete Gaussian distribution on two-power cyclotomics, or a distribution formed by choosing coefficients uniformly from some subset of . For the former observation, the relevant fact is the following: the power basis associated to is orthonormal (after scaling) in the canonical embedding. To see this, use (1) and observe that if has order , then does also, hence the real parts of the complex embeddings of roots of unity form a collection symmetrical about zero. For this paper, we will concern ourselves exclusively with this case.
3.6. Secret distribution
We will not make any particular assumption on the secret distribution. It may be taken to be uniform on . Note, however, that the method of [4, Section 3, Targeting ] could be used to manipulate the samples so the secret can be taken from the error distribution, preserving the Ring-LWE structure of the samples.
4. Key theoretical properties
In this section we highlight several key aspects of Ring-LWE absent in LWE.
4.1. Ring homomorphisms
If a Ring-LWE problem is presented in , then for any , we have a ring homomorphism
[TABLE]
This transports samples distributed according to to samples distributed according to .
In general, the effect of on is problematic, i.e. it spreads out the error widely. As an illustration, we give a proposition governing the behaviour of on in the -power cyclotomic case, when .
Proposition 4.1**.**
Suppose we are in the -power cyclotomic case, and , and . If, in , the error distribution is formed on the -basis in with coefficients drawn from on , then is formed on the -basis in with coefficients drawn from on , where and
[TABLE]
Proof.
Define , meaning that but . Since , we have . Furthermore, for all , so that and, by induction
[TABLE]
for all . As is defined as the embedding degree of the -th roots of unity, we obtain .
The element satisfies in . Hence it is itself a primitive -th root of unity, i.e. -th root of unity. Hence by the definition of .
The main statement now follows from the fact that is an -basis of , that and that for and , we have
[TABLE]
∎
For example, in the case that , we obtain
[TABLE]
This means the coefficients of are chosen from a sum of two Gaussian distributions with different coefficients. This is less controlled than twice a single Gaussian. For, twice a Gaussian is simply a wider Gaussian, and the size of its support grows by approximately . However, in an uneven linear combination the size of the support is approximately the square of the size of . (To be explicit, since is discrete, is “spaced out” into isolated spikes, and each spike of support is transformed into a small gaussian by the addition of to form .) This is a symptom of the protective property of these ring homomorphisms: they transform the error to something less amenable to attack. In fact, very quickly the image of a Gaussian error approaches uniform in the image ring as the dimension of the image ring decreases. And Ring-LWE samples with uniform error are informationless.
4.2. Rotating samples
The ring structure allows us to generate new (but not independent) samples from old.
Proposition 4.2**.**
Suppose is invariant under multiplication by . Then if is distributed according to , then
- (1)
* is also distributed according to ,* 2. (2)
* is distributed according to .*
In particular, in the -power cyclotomic case, a discrete Gaussian is invariant under multiplication by and all its powers.
We call these rotated samples. One could also rotate by other small values, e.g. in the -power cyclotomic case, at a small cost in changing the error distribution. (This may allow for adapting the notion of sample amplification to the Ring-LWE case; see [21].)
4.3. Subrings and trace maps
If considering Ring-LWE in , where is the ring of integers of a number field , then any subfield gives rise to a subring (i.e., the ring of integers of ) and, modulo , to a subring . Then is an -vector subspace of , and has a module structure over . The dimensions of over , over and over agree.
There is a linear map satisfying the following relationship to the usual trace map from to :
[TABLE]
To see this, remark that is elementwise fixed by the Galois group of and is the extension of to , so the Galois group takes to itself. Therefore the Galois group acts on fixing . Therefore we may define to be the sum of for in the Galois group of , and the relationship above holds.
The ring is always an -module, but the reader is cautioned that in a general number field, may not be a free module over .
4.4. Multiplicative cosets of subrings
The set , for any invertible , is an -vector subspace of of dimension equal to the dimension of . Distinct such subspaces intersect only at subspaces consisting of non-invertible elements of , and (the invertible elements of ) lie in the union of all such subspaces.
Let us write for the distribution on given by choosing uniformly in , choosing according to error distribution and outputting .
Proposition 4.3**.**
If is distributed according to where is invariant under multiplication by , then
- (1)
* is distributed according to , and* 2. (2)
* is distributed according to .*
The multiplicative coset structure gives rise to another type of sample reduction, beyond ring homomorphism. We have
Proposition 4.4**.**
Suppose is fixed. Define , the trace map described above. Consider a collection of samples distributed according to , where is fixed and is invertible. Then maps such samples to samples distributed according to in , where
[TABLE]
Proof.
For , since is -linear, we have
[TABLE]
This implies that
[TABLE]
This proves the proposition. ∎
4.5. Trace maps for two-power cyclotomics
The final piece to the puzzle is the behaviour of the trace map in the previous section. In the case of the -power cyclotomics, the trace map is particularly well-behaved in terms of its effect on the error distribution. In fact, it takes very many of the basis elements to zero. This is a feature of the orthogonality of the basis , and it may be proved with reference to basic algebraic number theory, as follows.
Using the notation of Section 4.3 in the case of the -power -th cyclotomics , let be the -th cyclotomic subfield. One may take and has a basis over . We collect terms to write
[TABLE]
In other words, has a -basis over .
The elements of the Galois group of are given by for satisfying , and so
[TABLE]
In particular, for the trace to the index two subfield, we have:
[TABLE]
This special case can be seen directly by observing that if is even, then , while if is odd, then is the square root of something in , i.e. it satisfies the minimal polynomial , and hence has trace zero. An alternate proof of the general case then follows by application of the special case times.
In summary then, the trace map preserves the error distribution up to small factors. The following proposition, which is now immediate, makes this explicit.
Proposition 4.5**.**
Suppose we are in the two-power cyclotomic case as in Section 3, where in particular is the ring of integers of the -th cyclotomics, with a power of two. Let be the subring of integers of the -th cyclotomics (hence is also a power of two). Write for the trace map described in Section 4.3. Suppose that is an error distribution formed on the -basis of with coefficients chosen according to . Then takes values in and is the error distribution formed on the -basis of with coefficients from .
The efficacy of the trace map with respect to the error distribution is due to its being an orthogonal projection to the space spanned by a subset of an orthonormal basis.
5. Reducing to a smaller ring
We demonstrate that if one can find sufficiently many samples whose values are restricted to a fixed multiplicative coset of a subring, then we can reduce the Ring-LWE problem to multiple independent Ring-LWE instances in the subring, without error inflation.
For this section, we are in the two-power cyclotomic case. Let be the ring of -th cyclotomic integers, where is a power of two (which have dimension , where ), and be the ring of -th cyclotomic integers, where . Then we have an extension of rings, of degree . Suppose that the rational prime is unramified in .
Proposition 5.1**.**
Consider a Ring-LWE instance in with secret and error distribution . Let be a fixed invertible element. Let , and suppose that is invertible.
Let be an integer. Then in time polynomial in and , one can reduce a Ring-LWE sample from distribution to a Ring-LWE sample in drawn according to secret
[TABLE]
and error distribution .
In particular, by Proposition 4.5, coefficient distributions of a -invariant and its resulting distribution are of the same size; it is in this sense that the errors do not inflate.
Proof.
Consider the sample where . Multiplying the second coordinate of the sample by and taking the trace , we obtain as in Proposition 4.4, a sample
[TABLE]
where .
Multiplication in the ring, and taking the trace, are polynomial in the ring size. ∎
The following is the main theorem of the paper.
Theorem 5.2**.**
Suppose is the ring of -th cyclotomic integers, for a power of two, and is the ring of -th cyclotomic integers, where , so the extension is of degree . Suppose that the rational prime is unramified in .
Consider a Ring-LWE instance in with secret and error distribution which is invariant under multiplication by , a primitive -th root of unity. Let be a fixed invertible element. Let as defined in Section 4.3, and suppose that is invertible.
Suppose one obtains samples distributed according to (notation from Section 4.4).
Then in time linear in the number of samples , and polynomial in and , one can reduce the computation of the secret to the solution of Search Ring-LWE problems in with error distribution , having samples each. These problems are independent in the sense that setting up any one of them does not require having solved any other one.
Furthermore, if is formed on the -basis from coefficient distribution on (see Section 3.5 for definition), then so is .
Proof.
Set in Proposition 5.1 for each in the range , to obtain samples having secret
[TABLE]
Using an oracle that solves Search Ring-LWE in , obtain .
Collecting all the values , we have a linear system of equations over , whose indeterminates are the coefficients of (expressed in terms of a basis for over ), of the form
[TABLE]
The linear equations are independent provided that is a set of -independent vectors in . We saw above that is a basis for over . Thus independence is guaranteed by the fact that is invertible. Note that we can consider this system to consist of independent linear equations over . The system can be solved by Gaussian elimination to recover .
All the field operations concerned are polynomial in the size of the ring. We must apply the trace to samples times, and we must carry out Gaussian elimination of dimension over , which is polynomial in and . ∎
As a small corollary, note that in any small Ring-LWE situation where exhaustive search may apply, it is equally possible to use the above for a square-root speedup, provided many samples are available. As an example, if we have a coefficient distribution with support not including all of , then the following statement demonstrates the approach.
Corollary 5.3**.**
Consider a Ring-LWE instance in with secret and error distribution formed on a -basis with coefficient distribution having support strictly smaller than .
There is an algorithm to solve this problem, with success probability , in time and number of samples times factors polynomial in , using space polynomial in .
Proof.
Note that the hypotheses guarantee is invariant under multiplication by . Let be the ring of index two in (i.e. -th roots of unity). Collect samples, discarding all but those with . In time we can accumulate samples with . Apply Theorem 5.2 to reduce to two Ring-LWE problems in with samples each. The error distribution on gives an error distribution on . If is formed on a -basis with coefficients supported in , then is formed on a -basis with coefficients supported in . Therefore, if the number of samples is sufficient, the reduced Ring-LWE problems are solvable using exhaustive search through possible values.
In our case, we need large enough so that a Ring-LWE problem in with samples has a unique solutions with probability . Although depends upon , for the worst case , is still polynomial in . Solve the reduced problems by exhaustive search, which takes time and each succeeds with probability . ∎
6. Background on the Blum-Kalai-Wasserman algorithm
First, we will give a very brief overview of the Blum-Kalai-Wasserman (BKW) algorithm in the context of LWE [5]. It is a combinatorial algorithm in which samples are collected and stored so as to facilitate the creation of new samples, as iterated sums and differences of established ones. The goal is to create new samples for which is restricted to a linear subspace. This is the reduction phase of the full BKW algorithm.
In BKW, after reduction, there is a hypothesis testing phase, in which one solves a lower-dimensional Ring-LWE problem (that given by restricting to the subspace) by exhaustive search over possible secrets. And then there is a back-substitution phase, where the small piece of the secret recovered in hypothesis testing is used to rework the problem to prepare the next small piece for hypothesis testing.
One can think of BKW as a sort of controlled Gaussian elimination on a matrix whose rows are samples, in which one wants to obtain as much simplification as possible using just one sum or difference of rows. By keeping the coefficients of the linear combinations small, we prevent the error ‘blow-up’ that occurs with regular Gaussian elimination. The cost is in needing many more matrix rows (samples) in order to be able to choose good linear combinations. The back-substitution phase is analogous to the eponymous phase of Gaussian elimination, with the recovered portion of the secret taking the role of the free variable. From another point of view, BKW reduction is a sort of iterated birthday attack, in which one searches for and exploits collisions which eliminate entries of the vectors, reducing to a subspace, where one searches again for collisions, and so on.
Now let us be more precise. During the reduction phase, only the -value of a sample matters, considered as a vector in a vector space , and the goal is to create samples with , a linear subspace of . Suppose, for the sake of explanation, that is defined by the first coefficients of its vectors being [math]. One generates an ordered list of the first entries of all the vectors which are observed. Whenever a new vector is observed, it is compared to the ordered list. If it is not already present, it is added. Otherwise, we have discovered two samples and for which is a new sample for which lies in . The penalty is that the error distribution of these new samples is widened. We begin a new table of such vectors as they are generated. In this way, we produce a large number of samples in a smaller subspace at the cost of inflating the error widths.
Instead of performing this reduction all at once, one chooses an appropriate block size for BKW (which is fixed throughout in the naïve implementation), which is to say, the codimension of as a subspace of . Once we have produced enough samples in , we can use these to perform another BKW reduction to a subspace of codimension in . The cost of a reduction step is exponential in , so we keep as small as possible. We perform block reductions until the samples are all taken from a small enough subspace to run an exhaustive search or other strategy to finish off the problem. The limiting factor on shrinking is an upper limit on the number of blocks used overall. Each reduction into codimension has a cost in error-inflation. We have a limit on the total error inflation (because hypothesis testing will fail if the error is so inflated as to appear uniform), which limits the total number of blocks.
The BKW algorithm has been improved in recent years, including using coding theory to reduce the number of values that need to be stored and compared, sieving at each step, allowing the block size to vary, using the Fourier transform to speed up hypothesis testing; see [2] [14] [18] [19] [20] [22].
7. Reduction using BKW
In this section, we address the problem of finding sufficiently many samples having from an appropriate subring , so that Theorem 5.2 will apply. For this, we use the reduction phase of the BKW algorithm. We emphasize that it is possible, once the samples have been given in an appropriate basis, to use an off-the-shelf BKW reduction algorithm, including coded BKW with sieving etc., for the reduction phase. The window size may be chosen at will, for example, and need not depend upon the ring structure. Then, Theorem 5.2, which is polynomial time, replaces all the other phases of BKW.
The only adaptor necessary to connect BKW to Theorem 5.2 is an attention to the basis used. In order to perform the reduction, we begin with the -basis of over , namely
[TABLE]
and then reorder it to produce a prioritized basis. The most important property we desire for our purposes is that if one of and has lower multiplicative order than the other, then it comes later than the other. One computationally convenient way to accomplish this is to take the bit-reversal permutation on elements (i.e. maps to if the binary representation of in bits, read backwards, is ), then reserve the order. For concreteness, the prioritized basis (in part) is as follows:
[TABLE]
Using any type of BKW reduction, one now reduces, with respect to this basis. To be precise, one seeks to eliminate the earlier coefficients of the elements , as expressed in this basis. At the end, at most the last coefficients are non-zero, for some small . For example, one may reduce until only the last , , or coefficients are possibly non-zero.
The varying block sizes during the reduction algorithm itself need not respect any restrictions, and improvements such as coded-BKW with sieving, may be used. For example, coded-BKW, under the assumption the secret is small, associates to each a codeword from a linear code. Then the sample is replaced with , which is a valid sample with a larger error, before it is fed to the BKW tables. The tables then have fewer rows because their rows are chosen from codewords. In sieving, imagine that one has stored the original along with each new sample . The difference between and measures the error inflation introduced by coding. A collision between and being passed to another table has an that is not actually [math] in the first few entries, only small. Among the vectors being fed from one table to the next, one can pause to sieve them, creating vectors whose ’s are somewhat smaller. This reduces the error inflation introduced by the coding process.
The important thing is that, whatever technique is used, after reduction, one has obtained samples with for some of dimension . One then applies Theorem 5.2.
8. The Ring-BKW algorithm
In this section we summarize the Ring-BKW algorithm for completeness. In short, one uses an off-the-shelf BKW reduction algorithm on samples with respect to a particular choice of basis, then applies Theorem 5.2. The important point is that the back-substitution phase of BKW is no longer needed, and the hypothesis-testing phase can be parallelized. The hypothesis-testing phase can also be off-the-shelf, including recent improvements using the Fourier transform etc. [14]. However, we will elaborate somewhat.
Ring-BKW algorithm
Choose a subring of dimension over (corresponding to a lower-degree -power cyclotomic field), to which we wish to reduce. Define and as before. The Ring-BKW Algorithm is given as Algorithm 1.
The ring structure is not relevant in step (1); one uses BKW reduction as for any LWE problem (in particular, the window size can be chosen without regard to the ring structure). In fact, any reduction algorithm to obtain values will do as well.
The following theorem relates any reduction algorithm to the solution of Search Ring-LWE. For the following, we consider Gaussian error with a well-defined width; an expansion factor refers to a multiplicative factor on the width.
Theorem 8.1**.**
Suppose that is an algorithm which, given a Ring-LWE problem of dimension over , produces Ring-LWE samples of dimension with error expansion factor of , in time , and using original samples.
Suppose that is an algorithm which solves Ring-LWE in dimension over in time , given error width less than or equal to and at least samples.
Then, there is an algorithm which solves Ring-LWE in having width in time
[TABLE]
using samples.
Proof.
We will use Algorithm 1. We will set . The time to run the reduction phase is . The time to create the smaller Ring-LWE problems is linear in and polynomial in from Theorem 5.2. Solving the smaller Ring-LWE problems (guaranteed to succeed by the choice of ) takes time each. Then reconstructing the secret (as in Theorem 5.2) again takes polynomial time. ∎
9. Advanced Keying
In the previous section, one uses BKW on LWE to perform reduction, say with block size . Given a Ring-LWE sample, there are in fact rotated samples one could feed into the reduction:
[TABLE]
Naïvely, one may include them all, or include the first one. Probably the best course of action is to include them all, to increase the number of collisions located amongst the available samples (since the number of samples needed is the downside to BKW in general). By including all rotations, one catches all collisions of the form for some . These are all perfectly useful collisions for the algorithm, if the error term is -invariant. In this section we propose a space-saving approach based on symmetries, which is equivalent, in terms of collisions obtained per sample, to storing all rotations of the samples. (If one chooses to compare to running BKW without rotating samples at all, i.e. ring-blind, it will both reduce storage and require fewer samples.)
In the discussion that follows, the reduction algorithm described in Section 6 will be called traditional BKW reduction to distinguish it from the advanced keying BKW reduction proposed in this section. There are a variety of modern speedups and alternatives (such as coded-BKW and sieving) which could also be combined with advanced keying, but for purposes of clarity we will ignore these until later in this section. In particular, in traditional BKW reduction, when a collision is recorded, nothing is added to the current table, but the difference is passed to the next table. (Later, it will prove helpful to call this one-difference and compare it to all-differences where new samples are stored as well as passed on, to increase the number of collisions.)
Our proposal in this section is an analogue of the space-saving technique used in traditional BKW, wherein for each sample we may derive two samples and : we choose one canonically (where the first non-zero coefficient of is in , say), and save only this one. By doing so, we will catch all collisions between samples where their sum or their difference vanishes, and save half the table rows in the process. More precisely, the number of rows of the table for each block never exceeds , since the possible non-zero vectors come in pairs of which we store at most one. Furthermore, this is also a time efficiency issue. If instead one simply included and among the incoming samples, then without this trick, the collisions and are both sent on to the next table, both are multiplied by thereafter, and we actually end up with repeat samples that must be weeded out at a later stage. For reference, traditional BKW reduction, with this space-saving technique, is given explicitly in Algorithm 3.
The fundamental observation is that the prioritized basis proposed in the last section is particularly well-suited to this type of strategy, because of the resulting ‘negacyclic permutation’ effect of multiplication by . It results in a savings of instead of and is completely analogous to the trick above in both space and efficiency savings. It requires that the block size be a power of .
Write for the vector of coefficients of in the prioritized basis. The action of (taking to ) on such a vector permutes the entries, and swaps the sign on some of them (since ). Suppose is exactly divisible by (i.e. ). With regards to the permutation only (ignoring the signs), the permutation has the property that it stabilizes each consecutive block of length throughout (that is, it permutes each block individually). For fixed , there are exactly such integers (note that is taken modulo , for results in the identity permutation). The following consequence is key:
Property 1**.**
Let denote block size. Then applying preserves the property that has first block (or series of any number of first blocks) consisting of zero entries.
This property will allow us to rotate samples by any of the quantities during BKW reduction with block size .
Next, one must specify a canonical choice of representative from the set of possible rotations , depending only on the first non-zero block of entries, up to an overall sign. A possible canonical choice is the ordering which has smallest first entry (in absolute value), together with some tie-breaking conventions, e.g. smallest second entry, etc., and if all entries are equal in absolute value, then some appropriate convention on sign changes between and , etc. However, any ordering of the possible length- vectors modulo overall sign, will do. It is not possible to break a tie if the first entries of the two rotations actually agree up to overall sign under one of the rotations. However, in this case we have found a “self-match,” meaning that two of the rotations have a difference which has all zero in the block under consideration, and so at most one of the two rotations need be stored, and the difference is sent to the following block, as with any collision, as in a traditional BKW algorithm.
The advanced keying BKW reduction is given in Algorithm 3, and for comparison purposes, the traditional BKW reduction using all rotations of each sample is given in Algorithm 2.
Correctness of Algorithm 3 is a consequence of Property 1. Furthermore, Algorithms 2 and 3 catch the same collisions in the following heuristic sense. For each collision , there will be another collision at for any . In Algorithm 2, all of these collisions are passed on to the next table after storing new rows in the current table. But any one of the samples sent on can generate the others via rotation, so only one of them is actually needed at the next table. In Algorithm 3, only one of them is stored and only one is sent onward (but only one is needed). However, there is some difference in the final output because we are only keeping one sample per row, and the order of input samples to a given table may differ, resulting in a different table entry. If one uses the all-differences variation, this difference disappears and the output of the two algorithms will be the same.
The following is immediate from Algorithm 3.
Proposition 9.1**.**
Each table in Algorithm 3 has at most rows in total.
Finally, we will remark again that BKW reduction improvements for LWE, such as coded-BKW and sieving, may also be adapted to use the advanced keying demonstrated here, provided block sizes can be maintained to be powers of (varying them is ok). As some modern algorithms vary block size, this may be an impediment. The naïve way to do this would be to code samples first, then choose a canonical rotation of each codeword. Perhaps better, one could also code each rotation and choose the one with smallest error, which may introduce a significant improvement to the error inflation, depending on the choice of code. (Note that, for those familiar with coded-BKW, the notion of advanced keying is not so different than coding, as it provides a sort of ’codeword’ for each sample, without an error inflation.)
Algorithms 2 and 3, as well as a completely ring-blind version of BKW reduction were coded in Python in Sage Mathematics Software for comparison purposes. Some example results are given in Table 1. In short, the advanced keying did reduce table sizes and samples needed as described, and had a faster overall runtime. A few remarks are in order:
- (1)
The experiments were chosen to represent a range of small parameter sets, where timings were in the range of seconds or minutes on a Lenovo X1 laptop. 2. (2)
After parameters were chosen, the number of samples was chosen to be a round number where the final table began to have a few samples on average; the timing therefore roughly represents the time until the final table begins to populate. 3. (3)
To compare meaningfully, the ring-blind algorithm uses times as many initial samples, which is equal to the total number of rotations of incoming samples for the other algorithms. The fact that the final table is populated but not full in all cases is evidence that the number of samples needed by Algorithms 3 and 2 is of those needed naïvely. 4. (4)
For some smaller parameter sets, we also tested a version of the algorithm (labelled AD = ‘All Differences’) in which every sample encountered is stored (so each row of the table can contain multiple samples) and every difference is passed on (i.e. the new sample is compared to everything already in its row). The purpose of this is to demonstrate that the advanced keying will still find the same number of samples. However, the AD version is significantly slower in all cases, so it was only implemented for some of the smaller parameter sets in the table. 5. (5)
Algorithms 2 and 3 are pseudocode; the implementation necessarily addressed details not covered in the pseudocode presentation. For example, some moderate attention was given to efficiency in the rotation of samples. For example, when only certain coefficients of the rotation were needed, only those were computed.
Some experimental observations:
- (1)
The table sizes observed in Algorithm 3 are very close to of the number observed in Algorithm 2, as expected. 2. (2)
The faster runtime of Algorithm 3 is a result of the fact that fewer samples are handled ( as many are fed to the first table compared to Algorithm 2), although they must be handled in more detail, so the speedup is less than a factor. 3. (3)
Algorithms 2 and 3 use the exact same starting data, and it is reassuring that the reduced sample counts are similar, and the same in the AD version. 4. (4)
Algorithm 2 tends to find more samples than Algorithm 3. The difference is in which matches are found when more than two samples collide in a row in the table, and therefore is more pronounced as the number of rows grows.
10. In practice
It is evident that the runtime of Ring-BKW is expected to be better than that of standard BKW (in any of its current forms), since the reduction and hypothesis testing phases may be taken to be the same, but the backsubstitution phase is no longer required. Furthermore, the smaller Ring-LWE problems of hypothesis testing can be solved in parallel.
Albrecht et al. computed the runtime for BKW [2]. This work has been rendered out of date by many of the modern speedups mentioned in the introduction, but it is likely safe to say a few things that still hold true about modern BKW runtimes. First, the reduction phase is the dominant cost. Second, however, the backsubstitution phase differs from the reduction phase by a polynomial factor, so eliminating it can be expected to give a polynomial factor speeedup.
Advanced keying also offers a visible benefit when compared to a ring-blind implementation of BKW. For, compared to a ring-blind implementation, table sizes are reduced to of their former size and the number of samples used is reduced to approximately as many. Each sample must be treated rather more carefully however: it is rotated and a canonical choice made. However, experiments still indicate increasing runtime gains with dimension, even against traditional BKW with every sample rotated before beginning. Nevertheless, advanced keying requires block sizes to be a power of , and therefore may or may not be useful or extendable in view of the changing block sizes sometimes employed in BKW reduction.
The Ring-LWE Challenges [13] are in the form of Tweaked Ring-LWE, which refers to dual Ring-LWE transfered to the unital version (see [13, §2.3]), so that the parameter assumptions in this paper apply to the two-power cyclotomic challenges included therein. It would be very interesting to test these algorithms on those parameters, but it is beyond the scope of this paper.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions: cryptanalysis of some FHE and graded encoding schemes. In: Advances in cryptology—CRYPTO 2016. Part I, Lecture Notes in Comput. Sci., vol. 9814, pp. 153–178. Springer, Berlin (2016), https://doi.org/10.1007/978-3-662-53018-4_6 · doi ↗
- 2[2] Albrecht, M.R., Cid, C., Faugère, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Cryptogr. 74(2), 325–354 (2015), https://doi.org/10.1007/s 10623-013-9864-x · doi ↗
- 3[3] Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 16). pp. 327–343. USENIX Association, Austin, TX (2016), https://www.usenix.org/conference/usenixsecurity 16/technical-sessions/presentation/alkim
- 4[4] Bernstein, D.J., Lange, T.: Never trust a bunny. In: Radio Frequency Identification. Security and Privacy Issues. RFID Sec 2012., Lecture Notes in Comput. Sci., vol. 7739, pp. 137–148. Springer, Berlin (2013), https://doi.org/10.1007/978-3-662-49890-3_6 · doi ↗
- 5[5] Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003), https://doi.org/10.1145/792538.792543 · doi ↗
- 6[6] Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Int. J. Appl. Cryptogr. 3(4), 313–329 (2017), https://doi-org.colorado.idm.oclc.org/10.1504/IJACT.2017.089353
- 7[7] Brakerski, Z., Perlman, R.: Order-LWE and the hardness of Ring-LWE with entropic secrets. Cryptology e Print Archive, Report 2018/494 (2018), https://eprint.iacr.org/2018/494
- 8[8] Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Advances in cryptology—CRYPTO 2011, Lecture Notes in Comput. Sci., vol. 6841, pp. 505–524. Springer, Heidelberg (2011), https://doi.org/10.1007/978-3-642-22792-9_29 · doi ↗
