Ring Learning With Errors: A crossroads between postquantum cryptography, machine learning and number theory
Iv\'an Blanco Chac\'on

TL;DR
This survey explores the ring learning with errors problem, highlighting its significance in post-quantum cryptography, machine learning, and number theory, and discusses its connections with classical algebraic problems.
Contribution
It provides a comprehensive overview of the current state of cryptographic functionalities based on the ring learning with errors problem and their relation to algebraic number theory.
Findings
RLWE-based cryptography is a promising post-quantum candidate
Connections between RLWE and classical algebraic problems are significant
The survey summarizes recent advances and open problems in the field
Abstract
The present survey reports on the state of the art of the different cryptographic functionalities built upon the ring learning with errors problem and its interplay with several classical problems in algebraic number theory. The survey is based to a certain extent on an invited course given by the author at the Basque Center for Applied Mathematics in September 2018.
| Category | Number of proposals |
|---|---|
| Code-based (Hamming) | 5 |
| Code-based (rank metric) | 2 |
| Lattice-based (LWE) | 1 |
| Lattice-based (RLWE) | 6 |
| Lattice-based (PLWE) | 1 |
| Lattice-based (Other) | 4 |
| Multivariate-based | 4 |
| Hash-based | 1 |
| Supersingular isogeny-based | 1 |
| Other | 1 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Cryptography and Residue Arithmetic · Coding theory and cryptography
Ring learning with errors: a crossroads between postquantum cryptography, machine learning and number theory
Iván Blanco-Chacón
Department of Mathematics, School of Science
University of Alcalá de Henares
Ctra. Madrid-Barcelona Km. 33,600
Alcalá de Henares, Spain
Abstract.
The present survey inteds to serve as a comprehensive account of the main areas of the cryptography based on the Ring Learning With Errors Problem. We cover the major topics, from their mathematical foundations to the main primitives, as well as several open ends and recent progress with an emphasis in the connections with algebraic number theory. This work is based to a certain extent on an invited course and a seminar given by the author at the Basque Center for Applied Mathematics in 2018 and at the ICIAM 2019. Our aim is to provide an introduction to the topic for graduate students with a background in algebra or number theory.
Key words and phrases:
Ring Learning With Errors, Postquantum cryptography, Lattice based cryptography, Applied Number Theory, Cyclotomic polynomials, Condition number.
Partially supported by Science Foundation Ireland 13/IA/1914 and MTM2016-79400-P.
1. Introduction
According to MIRACL Labs, it is estimated that a quantum computer capable of breaking most of modern cryptography will be built in the next 10-15 years (20-25 years according to estimates made public in the last NIST call for the standardisation of postquantum primitives). All of cryptography is built on supposedly hard111In a sense which will be made clear in Section 2. mathematical problems, most of which, like integer factorisation or the discrete logarithm problem, become relatively easy in the context of a working quantum computer. In response to this threat there is a need to migrate from these vulnerable constructs to constructs known to remain strong even in a post-quantum world.
An example of such a hard problem is the shortest vector problem in general lattices, which is known to be NP-hard (at least for a very small approximation factor). While there already exist post-quantum solutions for much of standard cryptography, like public key encryption and digital signature, it is currently unclear how some of the more elaborate protocols, like those seeking for integrity or non-repudiation can be successfully migrated. In particular in the last 10+ years bilinear pairings on elliptic curves have opened up many new possibilities, which might likely be rendered insecure in a postquantum world. Already commercial products based on bilinear pairings have found applications in the ‘real world’, and so much work must be done to ensure that we will be able to retain this functionality into the future.
At the same time there is much fundamental work to be done on the postquantum primitives themselves. A major decision is to choose between one or various of the following technologies, for each security/integrity demand:
- a)
Code based cryptography ([31]) is built on the infeasibility of syndrome decoding for general linear error-correcting codes over finite fields.
- b)
Multivariate based cryptography ([14]) is based on the fact that solving general systems of multivariate polynomial equations over finite fields is proved to be NP-hard.
- c)
Supersingular isogeny based cryptography ([19]), is a protocol for key exchange, analogous to Diffie-Hellman, but the cyclic groups present here are attached to supersingular elliptic curves defined over finite fields.
- d)
Finally, lattice based cryptography, admits a large number of different formulations and constructions. This report focuses on one of the most promising lattice-based technologies: Ring Learning With Errors (RLWE). This scheme is based on the RLWE problem, which is based in turn on the difficulty of solving the shortest vector problem (SVP) on ideal lattices.
At the time of writing, code, lattice and multivariate-based methods seem to be the strongest contenders, as they appear to have the flexible structure needed on which to base more complex protocols. Within these three categories, the lattice-based one has by far a larger number of non-broken primitives/protocols.
Lattice-based cryptography has a relatively mature history, primarily due to the work done by the early proponents of the related NTRU cryptosystem ([24]). This was a patented technology which enjoyed some minor success, but never really gained traction, as when it was invented, a quantum computer still seemed very far off. Its patents have now expired.
RLWE first came to prominence with the paper by Lyubashevsky, Peikert and Regev ([28]). A key-exchange algorithm proposed by them has been recently optimized and implemented by Alkim, Ducas, Pöppelmann, and Schwabe ([1]). This has been implemented by Google in a well-publicised experiment ([10]). In recent times there have been many implementation improvements, see for example the recent paper by Scott ([38]). So there can be no doubting the practicality of the technology, opinions supporting this view include those of a good number of researchers in Intel Labs and MIRACL Labs.
RLWE is built on an earlier scheme: the Learning with Errors (LWE) problem, which admits a security reduction from the SVP on arbitrary lattices, but with a much larger approximation factor than the one for which SVP is proved to be NP-hard. Of course, this is not a formal hardness guarantee for LWE but it can be regarded as a clue of its strength. Moreover, no polynomial-time attack has been found against LWE yet.
The main disadvantage of LWE is a quadratic overhead in the key sizes, which is overcome in the RLWE scenario, at the cost of being backed in the SVP over just ideal lattices, which even if based on experience is widely believed to be intractable, there is no formal proof at the moment, and for no appromation factor.
In spite of that, the RLWE variant appears to be eminently practical: like most post-quantum proposals, RLWE key sizes are much larger than those of non post-quantum methods, but the required computing power is usually much smaller. For example while an elliptic curve based cryptosystem might use keys of 256 bits, an equivalent system based on RLWE might require keys of 4096 bits to grant the same security level, while running maybe 10-100 times faster ([27]). These differences might be seen as balancing each other out. Furthermore, 30% of the surviving proposals for the NIST are based on RLWE.
Our report is structured as follows:
In section 2 we provide a quick introduction to the different features of cryptography and introduce the main terms and facts on complexity as they show up in the literature. We provide several examples, elaborating on those presented in the course by the author.
In section 3 we expose the main concepts of lattice-based cryptography. We focus on the classical LWE, over which RLWE is built and discuss its advantadges and drawbacks, as well as different attacks against weak instantiations, which will be exploited in the RLWE scenario in Section 6.
Section 4 is a quick overview of a few key concepts in algebraic number theory: rings of integers, canonical embedding, and other topics. These pieces make the foundations of RLWE, but the reader who is familiar with this material can safely skip it.
Section 5 introduces the RLWE problem in its various formulations. In particular, we carefully discuss the Polynomial Learning With Errors problem (PLWE), which appeared in the literature before RLWE ([40]). We discuss the equivalence between both problems and explain some recent advances in this topic: in particular we comment on recent work by the author ([6]) which gives a partial answer in the cyclotomic case, the most interesting from a cryptographic point of view. Besides, we explain the hardness result which backs RLWE and describe in full detail the LPR crypstosystem, as presented in [28]. We close the chapter by presenting a key exchange protocol based in RLWE ([15]).
Section 6 is a summary of several attacks against the RLWE cryptosystem. They reduce to LWE or to PLWE attacks and allow to discard insecure choices of parameters. The search for secure instantiations motivates some number theoretical problems and conjectures which we also discuss.
Section 7 is for RLWE-based digital signatures and homomorphic encryption, a functionality which is gaining much interest nowadays, since it allows to solve a good number of logistic and security problems in cloud computing and storing. We close the survey by discussing in detail some (second round) NIST figures.
A couple of remarks to end this introduction: first, by a polynomial time algorithm we mean an algorithm for which there exists a polynomial and a size function on the family of the algorithm inputs , such that the time it takes to run the algorithm on input is . Second, we will use sometimes the -notation: a function is if it is for some .
Acknowledgements: The author thanks Gary McGuire for carefully reading a preliminary version of this survey, to Mike Scott for providing most of the practical highlights on RLWE and to the Basque Center for Applied Mathematics for their invitation to give this course and to take part in the postquantum cryptography mini-symposum at ICIAM 2019. Active and insightful discussion with the audience of the course and seminar, and in particular with Sebastiá Xambó set the author to write this work.
2. Post-quantum cryptography
2.1. Cryptography features
Requirements such as confidentiality and proofs of identity are crucial in electronic financial and legal transactions, while some other features like non-repudiation or operating on encrypted data (homomorphic encryption) are gaining much traction within the last few years. We examine here most of these functionalities.
The best known cryptographic problem is confidentiality. This is attained by the use of well-designed encryption/decription schemes.
To start with, we fix a finite alphabet , with some mathematical structure such as an abelian group or a field (e.g. the finite field for and prime, or an elliptic curve over this field). We consider three sets (keys), (plaintexts) and (ciphertexts) with . Finally, we consider a set which parametrizes the level of security, i.e., the larger , the safer the scheme.
Definition 2.1** (Cipher schemes).**
A cipher over is a family of pairs of efficiently computable functions where for each , (encryption function) and (decryption function) are such that for each key and for each plaintext , the following correctness property holds:
[TABLE]
That is to say, decryption undoes encryption.
Efficiently computable means that both and can be computed by an algorithm which is polynomial in the security parameter , i.e., there exist polynomials only depending on the scheme, such that for each , , , and , the number of steps to compute (resp. ) is upper bounded by (resp. ). Moreover, the algorithm for can be probabilistic, while should always be deterministic.
Since in our definition both the encryption and decryption parties have the same key (i.e., the scheme is symmetric), they should agree beforehand on that key somehow. For instance, they might do it physically in a secret meeting but they can also use a digital key exchange protocol. As usual, any arbitrary legitimate sender (receiver) will be called Alice (Bob), and any arbitrary eavesdropper will be called Eve.
Definition 2.2** (Key exchange protocol).**
A key exchange protocol is an efficient method for Alice and Bob to agree on a key through a (potentially non-safe) channel. One of the most famous protocols is Diffie-Hellman’s (DH)111There are more general versions of the Diffie-Hellman problem, not known to be equivalent to a discrete logarithm problem, but here we stick to its version over finite fields, which by construction is so., where Alice and Bob start by agreeing on a finite feld and a primitive root , namely, a generator of the cyclic multiplicative group . The pair is made public, and to agree on a private key, Alice selects an integer and Bob selects an integer . Then, Alice sends modulo to Bob, who on receiving it, raises it to modulo , getting modulo . Next, Bob sends modulo to Alice, who raises it to , obtaining also modulo , the agreed private key.
Notice that without knowledge of or , Eve cannot obtain from and in an efficient manner (on a classic computer!), the main obstruction being the unfeasibility of the discrete logarithm, namely, to obtain from modulo , if is known. Nowadays, a combined usage of Diffie-Hellman (or some variant) with a suitable symmetric cipher is used in most internet protocols, like TLS or TCP/IP. A variant of DH is ECDH, where the multiplicative group is replaced by the additive group of an elliptic curve over .
Definition 2.3** (Digital signatures).**
A signature scheme is a pair , where is an efficient key generating probabilistic algorithm, and is a family of pairs of efficiently computable222by polynomial-time probabilistic algorithms. functions (space of tags) and such that whenever (secret key) and (public key) are sampled from on security level , then, for every message :
[TABLE]
For a security level , is called the signature function and the verification function, which returns 1 if the signature is valid and 0 otherwise, and the correctness of the scheme means that on a message and a secret key , the signature function produces a tag , which is verified as valid by the verifying function with probability , given the message and the public key . This scheme provides a proof that the message was signed by a known signatory (authentication) and the signatory cannot deny having signed the message (non-repudiation). Classic designs of digital signature schemes include Rabin’s algorithm, Lamport schemes and Merkle trees, as well as RSA-based protocols ([7] 13.3.1).
Integrated Encryption Schemes (signcryption schemes) implement both encryption and authentication. Two of the most commonly used are ECIES, which operates with elliptic curves and DLIES, which operates over .
Definition 2.4** (Homomorphic encryption333From now on, to ease notation, we will omit the -subscripts unless it results in ambiguity. ).**
Let be a cipher over where and are abelian groups under the operations and respectively. The cipher is said to be homomorphic if for each key and plaintexts , it is
[TABLE]
Example 2.5**.**
RSA encryption is homomorphic. Indeed, for an RSA integer and an exponent modulo with inverse , encryption goes as , which clearly commutes with the product modulo , but not with the sum.
When in addition, and have ring structure and encryption commutes with both ring operations, the cipher is said to be fully homomorphic (FHE). Notice that RSA is not fully homomorphic.
Homomorphic encryption allows to perform operations on the plaintext by operating directly on the ciphertexts, i.e., without decrypting first. This is relevant when the operations are outsourced and performed over a non-trustable server. Applications of homomorphic encryption include encrypted database queries, cloud computing, genetic computing, health data management or outsourced generation of blockchain addresses.
2.2. P, NP, NP-hard and NP-complete
The author has often seen that the terms intractable, unfeasible, and hard, are used in the postquantum cryptography literature in a rather loose (at best!) manner and this may lead to believe that certain computational problems enjoy certain complexity guarantees that they simply have not. We make here precise the main terms that usually appear in the problems which back lattice cryptography.
Definition 2.6** (The P and NP classes).**
The P class consists of the decission problems whose solution can be found on a deterministic Turing machine in polynomial time in the input size. The NP class consists of the decission problems for which a putative solution can be checked to be a real solution or not in polynomial time on a deterministic Turing machine on the input size.
Equivalently, the NP-class consists of the decission problems such that a solution can be found in polynomial time on a non-deterministic Turing machine: indeed, assuming Definition 2.6 for the NP class, an algorithm based on a non-deterministic Turing Machine can be built in two steps; the first is a non-determininstic guess about the solution, and the second consists of a polynomial deterministic algorithm that verifies if the guess is a solution(cf. [2] pag. 283 for details). A common misconception is that the NP term stands for non-polynomial when in fact it stands for non-deterministic polynomial acceptable problems.
A note of caution: as we pointed out at the end of the introduction, the term in polynomial time means that the time it takes to solve a problem is, on input , upper bounded by a polynomial in where is a size function. The most used size function is the logarithm, as we can regard it, essentially as the number of digits, a true size of the input. Hence, a brute force attack on DLP for takes powers and checks, which is polynomial in but exponential in . There are classical (non-quantum) algorithms which drastically reduce the order, like the number field sieve (subexponential), but none of them is polynomial in . We refer the reader to Chapter 4 of this work for a summary on number fields and their key properties and to [25] for an exposition of the number field sieve method.
Example 2.7**.**
The problem of primality testing, i.e. deciding whether a positive integer is prime or not is NP: indeed, given a natural number and , the Euclidean algorithm can be used to check if in approximalety operations. Moreover, in a major breakthrough, Agrawal, Kayal and Saxena proved that primality testing is also a P problem.
Example 2.8**.**
The problem of factoring, namely to return a proper factorisation with of an input is also NP: a pair can be checked to be (or not) a non trivial factorisation of by performing approximately multiplications, if .
Two celebrated algorithms due to Peter Shor solve the factoring problem and the DLP in polynomial time on a quantum computer ([39]). To factor a positive integer , Shor’s algorithm runs over all the integers in the range . For , if is a unit modulo , the algorithm calls a sub-routine to compute the order of modulo . With this period, the algorithm produces a non-trivial factor of with arbitrarily large probability in polynomial time. The order-finding sub-routine is run on a quantum computer, but the use of the order to produce a factor is classical.
In fairness, this does not mean that the problem of factoring is in the P-class, as a (probabilistic) quantum algorithm is not equivalent, in general, to a Turing or sequential machine.
Definition 2.9** (Reduction).**
We say that a problem A admits a reduction to a problem B if any instance of A can be transformed to an instance of B in polynomial time, namely, if solving B suffices for solving A with the same order of complexity.444By order of complexity we mean polynomial, superpolynomial, subexponential and exponential. We stick to these orders as they are enough for our analysis.
Informally, NP-hard and NP-complete problems are those at least as hard as those in the NP-class, but while NP-complete problems belong to NP, NP-hard ones need not to. More precisely:
Definition 2.10**.**
The NP-hard class consists of those problems A such that every problem in NP can be reduced to A in polynomial time. The NP-complete class consists of those NP problems which are NP-hard.
Example 2.11**.**
The prime factorisation problem, i.e. to return all the prime factors with multiplicity of an input , is clearly NP: checking if a putative solution is a prime factorisation of can be done in (deterministic) polynomial time. However it is not known if the prime factorisation is NP-hard (and hence NP-complete). It is expected, moreover, not to be in the P class.
So, a quantum computer would render insecure both RSA and Diffie-Hellman. Even more, Tate and Weil’s pairings allow to reduce ECDLP to DLP ([29]), a reduction which is even polynomial (although probabilistic) on supersingular curves, hence, the elliptic version on Diffie-Hellman should also be avoided in a post-quantum scenario. This is a reason to consider schemes which use pairing-free abelian varieties, hence other than elliptic curves. Jacobians of hyperelliptic curves are known to be good candidates but beyond genus 3, the complexity of finding explicit equations and explicit computations for the addition law render them unfeasible.
Finally, another well-known problem is whether or not. If equality held, all cryptographic (classic and postquantum) primitives based on NP problems would be useless. On the contrary, if, as it is widely believed, , then every NP-hard problem would be non-polynomial, hence suitable for cryptography: indeed, if is NP-hard, in case , take in . Then cannot be polynomial (otherwise, would be so).
But for the moment, lacking a proof of , all we can say is that NP-hard problems are strongly expected to be suitable for (postquantum) cryptography.
3. Lattice based cryptography
The security of lattice-based schemes relies on two problems which are expected to be intractable on a quantum computer, as we explain next. By length, we mean Euclidean length, denoted .
Definition 3.1**.**
A lattice in is a pair where is a finitely generated and free subgroup of the additive group and is an isomorphism. We denote by the minimal length among the set of non-zero elements of .
Notice that our definition has implicit the feature of being of full rank. There are more general definitions but this will be enough for us.
Example 3.2**.**
In the ring of Gaussian integers , identifying with , we can impose a lattice structure in (at least) two ways:
[TABLE]
or
[TABLE]
Definition 3.3**.**
Let be a lattice in with basis . The fundamental parallelogram of associated to is:
[TABLE]
Problem 3.4** (SVP).**
The shortest vector problem (SVP) is, on input of an arbitrary lattice in , together with a basis, to determine a vector with length . For , the -approximate shortest vector problem (-SVP) is to determine a non-zero vector with .
Problem 3.5** (CVP).**
The closest vector problem (CVP) is, on input of an arbitrary lattice in , together with a basis and a point , to find such that
[TABLE]
In [30], it is proved that -SVP is NP-hard for and in [9], it is proved that CVP is NP-complete, hence if , these two problems cannot be solved in polynomial time, even with the aid of a quantum computer.
3.1. The Learning With Errors problem (LWE)
Let be a rational prime for which a suitable choice will be made later.
Definition 3.6**.**
The real torus of dimension is the quotient group , its elements are equivalence classes of the form with .
Lemma 3.7**.**
The following map is a group monomorphism:
[TABLE]
A realization of lattice-based cryptography immune to all current quantum attacks and with a good chance of being NP-hard relies on the LWE problem, which we describe in this subsection.
Definition 3.8** (LWE-oracles).**
Let be a discrete random variable with values in . For , chosen uniformly at random, a LWE-oracle with respect to and is a probabilistic algorithm which, at each execution, performs the following steps:
Samples a vector uniformly at random from .
- 2.
Computes the scalar product .
- 3.
Samples from .
- 4.
Outputs the vector .
Definition 3.9** (The LWE problem).**
Let be a discrete random variable with values in as before. The LWE problem for and is defined as follows:
- a)
Search version: for an element chosen uniformly at random and a LWE-oracle , if an adversary is given access to arbitrarily many samples of the LWE distribution, this adversary must recover with non-negligible advantage.
- a)
Decissional version: for an element chosen uniformly at random and a LWE oracle , the adversary is asked to distinguish, with non-negligible advantage, between arbitrarily many samples from and the same number of samples where and are chosen independently and uniformly at random from and .
From now on, will be an -valued Gaussian variable, which can be thought of as having values on via Lemma 3.7. Such a variable is defined as follows: For we set . Write
[TABLE]
and define to be the distribution on such that the probability of is . Finally, the discrete Gaussian distribution with values in , mean [math], and parameter is defined by the probability function
[TABLE]
Some words of caution: first, the variance of should be very close to , but not neccesarily must be equal: in lattice-based cryptography one speaks about discrete random variables of parameter (rather than variance) . Second, effective sampling from discrete Gaussian distributions is a difficult topic and in practical cases it is approached only by numerical approximation (see [17]).
We conclude here with the following result due to Regev ([35]): a polynomial time quantum reduction from the SVP problem to the LWE problem, which backs the hardness of LWE and makes it a candidate to sustain a cryptosystem from it, as we will see in the next subsection.
Theorem 3.10** (Regev, [35]).**
Let be a discrete Gaussian of parameter , a prime and . Assume . Then, there is a quantum polynomial time reduction from -SVP, with to the search LWE problem attached to the LWE oracle .
3.2. Attacks against LWE
In the language of Machine Learning, due to Theorem 3.10, a training algorithm for the LWE problem can be turned, in polynomial time (on a quantum computer), into an algorithm (of the same complexity) which solves the SVP problem. If the -SVP problem were NP-hard for the value of given in Theorem 3.10, it would follow the NP-hardness of the LWE problem. However, that value of depends on , the parameter of , and the values of for which the LWE-problem for results in a correct cryptosystem is bigger than , the value for which SVP is NP-hard. Hence, Regev’s reduction cannot be used to prove NP-hardness of SVP. Nevertheless, this kind of result can be seen as a clue towards its security.
However, LWE has not been yet broken and there is a wide consense of the problem being intractable. Nevertheless, some ad-hoc instantiations may be insecure against very simple attacks. Given LWE samples , we can put them in columns to obtain a matrix and set , where e is the column vector of errors. We analyze three vulnerable instantiations:
If is identically zero (errorless LWE), can be recovered via Gaussian elimination as long as the rows of A are linearly independent, which holds with high probability for .
- 2.
If takes values in with fixed , we can round away each coordinate of b and subtract to reduce to errorless LWE.
- 3.
If each group of samples has an error vector drawn from some distribution in and some discretized error coordinate is always [math] under , we can ignore the samples corresponding to the other coordinates and since we have access to unlimited samples by hypothesis, we can equally reduce ourselves to errorless LWE. Analogously, we can reduce to errorless LWE if the sum (or a linear combination) of the error coordinates in each group is [math].
Remark 3.11*.*
Generalizing Case 2 in the above analysis, the error distribution is said not to wrap around if is small enough for some known . In this case, again by our unlimited access to the LWE oracle, the same attack as in Case 2 has good chance of success.
Other instantiations of LWE can be attacked by more sophisticated means. For instance, as described in [3], if all the discretized errors in our samples (i.e. seen not in the torus but in , after rounding to the closest integer) lie in a known set of size , then search LWE can be broken in approximately time and space, using samples. If , the attack is polynomial in the dimension, while if , the attack is sub-exponential. For details cf. [32], Section 2.
What these attacks should make us learn is that the distribution should be very carefully chosen, to avoid falling in a low dimensional subspace of , in which case, reduction to errorless LWE might have a good chance of success.
3.3. The LWE cryptosystem
Based on the hardness guarantee in Theorem 3.10, and avoiding the above problematic instantiations, the LWE problem can be used to build the following cryptosystem:
Construction 3.12** (LWE cryptosystem, Regev ([35])).**
Parameters: , .
- 2.
Private key: chosen uniformly at random.
- 3.
Public key:
- 3.1
Sample , independently and uniformly at random.
- 3.2
Sample , independently from , which is assumed here to be a discrete Gaussian of zero mean and parameter .
- 3.3
Publish .
- 4.
Encryption: for a bit , consider it as an element of by mapping the [math] and of to the [math] and of . Select a random subset and map
[TABLE]
- 5.
Decryption: on receiving an encrypted message , compute . This equals . If , then has absolute value below with probability as close to as desired, depending on how we choose the parameter . So, if this is the case, decrypt to [math], otherwise, decrypt to .
The right choice of , and is given in the following result, whose proof is omited since it is very similar to the cryptographic scheme presented in the next subsection, whose proof we will discuss.
Theorem 3.13**.**
If , and is of the order of , then the LWE cryptosystem is correct and pseudorandom555I.e. statistically indistinguishable from a uniform distribution..
As we can see, a public key for LWE has vectors in , since is of the order of , it turns out that a public key has an -size of the order . This quadratic overhead is an unfeasible constrain from a practical point of view, in particular in settings such as hand-held digital broadcasting, mobile encryption and small devices in tentative applications of the IoT (Internet of Things), where the hardware has a relatively small memory. Moreover, in other recent scenarios where homomorphic encryption is desirable, LWE cannot fit well if the plaintext space is big enough. Such a scenario is that of electronic elections (e-voting and i-voting), which has to combine encryption with signature and authentication. For a large enough country, the size of the keys (which even if a pseudorandom generator is used, must grow with the size of the plaintext space) is certainly to be taken into account.
A variation of the LWE problem, the ring learning with errors (RLWE) problem was introduced to tackle this quadratic overhead in the key sizes. The foundations of the problem require several notions from algebraic number theory, which we present next.
4. Some basics of algebraic number theory
Here we present the notions of algebraic number theory used to build the RLWE cryptosystem. Readers who are familiar with them can safely skip this section, since all our notations are standard. Readers who are not so familiar are referred to [41], Chapter 2 for more details.
4.1. Algebraic number fields
An algebraic number field (number field, for short) is a field extension of finite degree , where satisfies a relation for some irreducible polynomial , which is monic without loss of generality. The polynomial is called the minimal polynomial of , and is also the degree of . Notice that is in particular an -dimensional -vector space and the set is a -basis of called a power basis. Notice that associating with the unknown yields a natural isomorphism between and .
Let denote an algebraic closure of fixed from now on. A number field of degree has exactly field embeddings (injective field homomorphisms) fixing . Each embedding is determined by , where are the different roots of . The number field is said to be Galois if is the splitting field of .
Example 4.1**.**
Denote by the unique real cubic root of . The number field is not Galois: indeed, the other two roots of the minimal polynomial, do not belong to . To make it Galois, we need to adjoin , a non-real cubic root of .
An embedding whose image lies in (corresponding to a real root of ) is called a real embedding; otherwise it is called a complex embedding. Since complex roots of come in conjugate pairs, so do the complex embeddings. The number of real embeddings is denoted and the number of pairs of complex embeddings is denoted , so we have . If (resp. ) is said to be totally real (resp. totally imaginary).
Definition 4.2**.**
The canonical embedding is then defined as
[TABLE]
4.2. Algebraic integers
An algebraic integer is an element of whose minimal polynomial over has integer coefficients. For a number field of degree , let denote the set of all algebraic integers in . This set forms a ring under addition and multiplication in ([41], Theorem 2.9), called the ring of integers of . It happens that is a free -module of rank , i.e., it is the set of all -linear combinations of some basis of ([41], Theorem 2.16). Such a set is called an integral basis.
Example 4.3**.**
Let be an integer. The set of primitive -th roots of unity (those of the form , with coprime to ) forms a multiplicative group of order . The -th cyclotomic polynomial is
[TABLE]
This is the minimal polynomial of for each , so that is a number field of degree . It can be proved ([41] Chap 3) that the ring of integers of is precisely for each , with .
Definition 4.4**.**
A number field such that for some is said to be monogenic.
Example 4.5**.**
Let be a square-free integer. Consider the number field . It can be shown that the ring of integers of is if and otherwise.
Definition 4.6** (Norm, trace and discriminant).**
For a number field of degree , given an element , its norm is defined as the product
[TABLE]
and the trace is
[TABLE]
The discriminant of , denoted is the square of the determinant of the following matrix:
[TABLE]
where is an integral basis of . Notice that since lattice base-change matrices are unimodular, the definition does not depend on the choice of the basis666In most algebraic number theory texts our is called the minimal discriminant, since it is possible to define such a determinant for each -basis (not necessarily integral). We will only consider integral bases and minimal discriminants..
Example 4.7** ([42] Prop. 2.7).**
Let denote the -th cyclotomic field. Then, the discriminant of equals
[TABLE]
Norm and trace and discriminant are rational numbers Moreover, they are integers when restricted to .
4.3. Ideals and ideal lattices
Recall that an ideal of a ring is an additive subgroup such that for each and each , it is . For instance, for , the subring is not an ideal of the ring of integers, just a subring with finite index.
Unlike , in the ring of integers of a number field , it is not true that every element is a unique product, up to order and units, of different irreducible elements777An element of a ring is irreducible if for any such that , either or is a unit.. For example, in , we have , where and are irreducible elements. However, this generalisation holds if we replace (irreducible) elements by (prime) ideals:
Theorem 4.8** ([41], Theorem 5.6).**
* is a Dedekind domain. In particular, for each ideal , there exist unique prime ideals and unique integers such that*
[TABLE]
Moreover, denoting , for , it is
[TABLE]
Example 4.9**.**
In , we can express the principal ideal as the product , with , and .
Definition 4.10**.**
Let be a rational prime decomposed as in with prime ideals. The number is called the ramification index of at and if , then is said to ramify at . The number is called inertia degree of at . If , then all the and equal and is said to be totally split.
A theorem by Minkowski states that every number field has only finitely many ramifying primes, which are precisely the rational primes dividing the discriminant. Hence, going back to Example 4.7, we see that for the cyclotomic field the ramifying primes are those which divide .
Definition 4.11**.**
Let be a discrete ring (free and finitely generated as abelian group) and an additive monomorphism. Nottice that is a lattice. The family of ideal lattices (for the ring and embedding ) is the set of all lattices for ideals in .
For instance, for , the coefficient embedding maps any element of R to the integer vector in whose coordinates are exactly the coefficients of that element when viewed as a polynomial residue. When , the canonical embedding provides in a natural way an ideal lattice for each ideal of .
Notice that for the canonical embedding, multiplication and addition are preserved componentwise. On the contrary, for instance, for the ring , the componentwise multiplication in doesn’t correspond with multiplication in : multiplying by , is equivalent to shifting the coordinates and negate the independent term. This is one of the advantages of using the canonical embedding.
Moreover, one has the following connection between the fundamental parallelotope of and the discriminant :
Theorem 4.12** ([41], cf. Theorem 8.1).**
Assume that the number field has pairs of complex embeddings. Then, the Euclidean measure of the fundamental parallelotope of equals .
5. Ring learning with errors: problems, cryptosystem and key exchange
To define the ring learning with errors problem (RLWE), let be a number field of degree and ring of integers , regarded as a lattice in , by means of the canonical embedding. Closely connected with RLWE is the polynomial learning with errors problem (PLWE). Next we formally introduce both problems and explore their relation.
5.1. Statement of the problems
In the rest of this subsection is supposed to be a monic irreducible polynomial of degree and is a rational prime which we will choose later. Define, further, , which can also be regarded as a lattice in by means of the coordinate embedding
[TABLE]
Each root of defines a number field . Moreover, the ring is a finite index suborder of the ring of integers . The restriction of the canonical embedding to also provides a lattice in . A very common choice is , the -th cyclotomic polynomial (cf. [40]).
The -dimensional torus attached to is , and the -torus is defined to be , with . As in Lemma 3.7, there are embeddings and .
Definition 5.1** (RLWE and PLWE-oracles).**
Let be a discrete random variable with values in (which we regard as taking values in ). For chosen uniformly at random, a RLWE-oracle with respect to and is a probabilistic algorithm which, at each execution performs the following steps:
Samples an element uniformly at random,
- 2.
Samples an element from ,
- 3.
Outputs the pair .
- 2.
Let be monic irreducible as above and a discrete random variable with values in (which we regard as taking values in ) . For chosen uniformly at random, a PLWE-oracle with respect to and is a probabilistic algorithm which, at each execution performs:
Samples an element uniformly at random,
- 2.
Samples an element from ,
- 3.
Outputs the pair .
Definition 5.2** (The RLWE/PLWE problem).**
Let be a discrete random variable with values in (in ). The RLWE (PLWE) problem for is defined as follows:
- a)
Search version: for an element () chosen uniformly at random and a RLWE (PLWE)-oracle , if an adversary is given access to arbitrarily many samples of the RLWE (PLWE) distribution, this adversary must recover with non-negligible advantage.
- a)
Decisional version: for an element () chosen uniformly at random and a RLWE (PLWE)-oracle , the adversary is asked to distinguish, with non-negligible advantage, between arbitrarily many samples from and the same number of samples , taken uniformly at randon from ().
Some words on the class of distributions we will use from now: first, notice that if is totally split, what we will frequently assume, a RLWE-sample can be seen as an -tuple of coordinates with values in . However, such a RLWE-sample is indeed much more than LWE-samples: is not only an - vector space; it also has a ring structure. The flexibility and power of RLWE comes from exploiting the ring structure instead of the sheer lattice structure. This is the reason why instead of taking -independent discrete one-dimensional Gaussians, we rather use an -dimensional one.
As in the -dimensional case, the mean will also be supposed [math], but in the RLWE scenario, the variance-covariance matrix (or rather, the multidmensional parameter) is normallly chosen, depending on the application, a) either to be diagonal, which is referred to as saying that the distribution is elliptic888This is useful when carrying out security-reduction proofs., or b) to have the diagonal elements bounded in absolute value by , for a parameter which will be made explicit in the next theorem, which backs the security of the decisional RLWE-problem (hence of the search RLWE-problem) in the security of the SVP over ideal lattices.
Hence, from now on, we assume that is an elliptic -dimensional discrete -valued Gaussian of [math]-mean and the elements of the diagonal are bounded as explained. The details are delicate and can be omited in a first study, since the aforementioned bound is what really matters for most proofs, but the reader is referred to [28], p. 19 for more information.
Theorem 5.3** ([28], page 19).**
Let be the -th cyclotomic number field of degree and its ring of integers. Let and let , be a prime bounded by a polynomial in such that 999A function is , for (denoted as ) if for each integer there exists an integer such that for each , it is . The notation means that the asymptotic behaviour of is at least as fast as .. There is a polynomial time quantum reduction from -SVP on ideal lattices of to the decisional RLWE problem for and .
The proof consists of two parts: the first is a quantum reduction from worst case approximate SVP on ideal lattices to the search version of RLWE. The reduction works in general, not for just cyclotomic number fields. It uses the iterative quantum reduction for general lattices in [35] as a black box, the main effort being the classical (non-quantum) part, which requires a careful handling of the canonical embedding and a smart use of the Chinese Remainder Theorem.
The second part shows that the RLWE distribution is pseudorandom via a classical reduction from the search version, which has been shown at least as hard as SVP for ideal lattices in the first part. It uses the fact that the cyclotomic field is Galois and the fact that , namely, that the ideal splits totally into different prime ideals in .
In [34] Theorem 6.2, the authors build on the same number-theoretical kind of arguments as in [28] to prove an analogue of Theorem 9 for non-cyclotomic Galois number fields.
5.2. Equivalence between formulations
In [28], the RLWE problem is introduced via as sample space, instead of , where means the dual of with respect to the trace map, namely:
[TABLE]
We have avoided this formulation to spare the definition of the different ideal and, no less important, for the sake of the extension of our presentation. In any case, both formulations are equivalent ([37] Theorem 2.13). By equivalence we mean that every solution for primal-RLWE can be turned in polynomial time into a solution for dual-RLWE (and viceversa, but this is immediate, since ), incurring in a noise increase which is polynomial in the number field degree.
Before speaking about the RLWE/PLWE equivalence we need to introduce a key concept: the condition number, which measures the distortion between the lattices given by the canonical embedding and the coordinate embeding. Let’s do that.
For a monic irreducible polynomial of degree , and a root of , consider again the subring . As lattices, is endowed with the coordinate embedding while is endowed with the canonical embedding inherited from , and the evaluation-at- morphism causes a distortion between both. Explicitly, the transformation between the embeddings is given by
[TABLE]
where are the Galois conjugates of . As we see, the transformation is given by a Vandermonde matrix.
For any matrix , denote its transposed conjugate by . The Frobenius norm is defined as
[TABLE]
The noise provoked by will remain controlled whenever and remain so, and the product serves as a reasonable measure of this control (cf. [37] Ch. 4).
Definition 5.4**.**
The condition number of an invertible matrix is defined as Cond.
Thus, in the monogenic case, the problem of the equivalence is the problem of showing that for some independent of . The non-monogenic case needs an intermediate reduction that we will not address here.
In the above mentioned paper [37], the authors introduce the framework to study the RLWE/PLWE-equivalence in general and prove it for the following family of polynomials:
Theorem 5.5** ([37], pag. 4 and Theorem 4.7).**
There is a polynomial time reduction algorithm from RLWE over to PLWE for where is the splitting field of where , runs over polynomials with and runs over primes such that , with a polynomial. Notice that there is a trivial reduction from PLWE to RLWE.101010For , the -norm is defined as
The argument to prove this theorem is, first, to consider the family of polynomials , with square-free. Denoting by the splitting field of , the authors check in first place the equivalence for and they show, via a careful use of Rouché theorem, that when is perturbed by adding another polynomial with degree smaller than the roots of both polynomials are close enough.
A reason to be interested in such an equivalence is that working with polynomial rings instead of rings of integers of number fields is more amenable for computer implementations. In [8], it is shown how the arithmetic of several polynomial rings leads to very efficient cryptographic designs.
5.3. The cyclotomic case
In practice, the number fields we are the most interested in cryptography are the cyclotomic number fields: they are very well understood and enjoy very nice arithmetic guatantees, like monogeneicity, which allows an amenable and efficient use for implementations. However, until recently, very little was known regarding the equivalence, apart from the power-of-two case: the ideas in [16] can be applied to show the equivalence for cyclotomic number fields of degree or with primes and . Besides that, the family in Theorem 10 is somehow artificially constructed, but, some of the ideas have been used by this author to give a partial proof of the equivalence in the cyclotomic case ([6]). This proof is, to our knowledge, the first given for general cyclotomic degree (but with the caveat of imposing a condition which we comment next).
Before that, let us examine first the power-of-two degree.
Theorem 5.6**.**
Let and . Then, the map is a scaled isommetry. In addition, .
Proof.
To see that is a scaled isometry, observe that when we multiply by its conjugate transposed, the elements over the diagonal in the product matrix are identically , and outside the diagonal, the element in position in the product matrix equals
[TABLE]
But since are -primitive roots (and so are ), then and the sum vanishes. Hence, we have that
[TABLE]
and is an isometry. For the condition number, we write , hence . By Lemma 5.3, the result follows. ∎
The main result in [6] is a polynomial bound on the condition number for cyclotomic number fields which only depends on a) the number of different primes dividing the conductor and b) the degree of the number field, and what is more important, the dependence on the degree is polynomial once the number of different prime divisors has been fixed. Let us see how.
For , denote by the product of all the different primes dividing (without exponents). For the -th cyclotomic polynomial , denote by the maximum of all the coefficients in absolute value. For instance, for , prime, , and for , with prime, all the coefficients are , due to a classical result by Migotti, hence . Our result is as follows:
Theorem 5.7** ([6] Thm. 3.10).**
Let and . If , then:
[TABLE]
Proof.
First, from the very definition, one has . Second, we use the following identity, a proof of which can be found, for instance, in [42] Ch. 1:
[TABLE]
which yields . The technical core of the result is a series of upper bounds for the entries of the inverse matrix , of which the most important is:
[TABLE]
∎
Now, to obtain the polynomial bound, we need to bound , which we do with the aid of a classical result due to Bateman:
Theorem 5.8** (Bateman, [5]).**
Let with . Then
[TABLE]
We can now derive the polynomial bound:
Corollary 5.9** ([6] Cor. 3.11).**
Let be fixed. If is the product of at most different primes, then is polynomial in . More in general, let be a family of cyclotomic polynomials whose degree is divisible by at most different primes. Assume that for polynomials in . Then,
[TABLE]
In [6], we also give a subexponential upperbound for the condition number if we do not fix the number of primes as well as more precise upper bounds for conductor divisible up to three primes. Namely:
Theorem 5.10**.**
For and , the following bounds hold for the condition number of cyclotomic polynomial :
- a)
(**[6]** Thm. 4.1) If then
[TABLE]
- b)
(**[6]** Thm. 4.3) If then
[TABLE]
- c)
(**[6]** Thm. 4.6) If then
[TABLE]
In our proofs, apart from some of the ideas from [37], and some properties from cyclotomic polynomials from [42], we have used results from analytic number theory like the aforementioned Theorem 5.8 due to Bateman and for the case of two and three primes, results by Migotti and Bang ([4]). This should highlight the strong link between ring lattice-based cryptography and number theory.
5.4. The LPR (Lyubashevsky, Peikert and Regev) RLWE-cryptosystem
Both RLWE and PLWE problems can be turned into public key cryptosystems, as we show next. We will focus in the PLWE version here. So, let be a monic irreducible polynomial, a prime and set . Let be an -valued discrete Gaussian (seen as taking values on ) and as explained in the former subsection, we assume the parameter of upper bounded entry-wise by with and as in 9. Take big enough so that (this will be used to grant the correctness of the cryptosystem).
Construction 5.11** (The PLWE cryptosystem).**
Key generation: choose uniformly at random and choose sampled from . The secret key will be and the public key will be the pair .
- 2.
Encryption: take a plaintext consisting of a stream of bits and regard it as a polynomial in , mapping each bit to a coefficient. Choose sampled from . Set and . The cyphertext is .
- 3.
Decryption: On cyphertext , perform and round each coefficient either to zero or to , whichever is closest mod .
Proposition 5.12**.**
The PLWE cryptosystem is correct (i.e. decryption undoes encryption) and pseudorandom.
Proof.
For correctness, notice that for the chosen values of , and , with arbitrarily large probability, the absolute values of the coefficients of will be below , so each bit of can be recovered by checking if its position in is less than , in which case, we decrypt it as [math], and otherwise as , as in the LWE scheme.
For pseudorandomness, first note that RLWE samples are pseudorandom even when is sampled from , by a transformation to the Hermite normal form. Therefore, public keys are pseudorandom and we can replace them by a uniform pair in . The observations of a passive adversary are and which are also pseudorandom, since is also sampled from . ∎
Example 5.13**.**
For around 100 bits security, current implementations use a parameter set with number field degree , a 13-bit prime modulus and a narrow discrete Gaussian distribution with diagonal entries upper-bounded by 4.5.
5.5. A RLWE-based key exchange protocol
Next we present a key exchange protocol based on RLWE and due to Ding ([15]). Earlier protocols for key transport were proposed by Peikert ([33]) in 2012 and by Zhang in 2014. This protocol takes place between two devices typically called initiator and respondent, which we will call Alice and Bob respectively, for the sake of tradition, both of which have access to a discrete Gaussian of parameter and both of which know , a prime , the -th cyclotomic polynomial , hence the rings and , and another polynomial . These data can and must be assumed to be publically known. The algorithm uses the following two functions:
Definition 5.14** (Signalling and binary deletion functions).**
Let . The signalling function, denoted , is the characteristic function of , namely if and only if , otherwise . The binary deletion function is defined as
[TABLE]
The signalling function signals the elements of as small, returning [math], while the binary deletion function returns [math] on pairs corresponding to error bits, which belong to (i.e. and ). The steps of the protocol are as follows:
Alice initiates:
- 1.1
Generates two polynomials and from the discrete Gaussian distribution .
- 1.2.
Computes .
- 1.3.
Sends Bob the polynomial .
- 2.
Bob responds:
- 2.1
Generates two polynomials and from the discrete Gaussian distribution .
- 2.2.
Computes .
- 2.3.
Generates from and computes
[TABLE]
- 2.4.
Uses the signalling function to find (applying coefficientwise to )
- 2.5
Performs
- 2. 6
Sends Alice .
- 3.
Alice finishes:
- 3.1
Generates from .
- 3.2.
Computes
[TABLE]
- 3.3.
Alice performs .
Notice that the elements and are only approximately equal, up to even errors, which allows the fuction to detect them. The function indicates the region in which each coefficient of a polynomial lies and helps to make sure that the error terms in and do not result in different mod operations.
With a carefull choice of the parameter , it will be with overwhelming probability. The difficulty of breaking this scheme is that from and/or , which is the only thing which a passive adversary is supposed to see, to recover and , the adversary must break PLWE.
Remark 5.15*.*
In November 2015, Alkim, Ducas, Pöpplemann, and Schwabe recommended the parameters and (see [1]). This represents a significant reduction in public key size over previous schemes, and was submitted to NIST with the name of NewHope. At the time of writing, NewHope has passed unbroken to the second round (see Section 7.3).
6. Attacks on RLWE
Detailed reports on the state of the art of attacks on the RLWE cryptosystem can be found in [18] and [32]. In [18] the authors discuss a list of open questions in algebraic number theory motivated by several attacks on RLWE. This interplay between cryptography and number theory constitutes a fruitful link which is expected to motivate a flow of results from each direction to the other.
On the other hand, in [32], a comprehensive review of the known attacks and vulnerable instantiations is carried out from a geometric viewpoint. We present, at our introductory level, only a few of these attacks and questions, working out some details. Within this subsection, we assume as usual that is a number field of degree , and in the PLWE setting, that the defining polynomial splits totally over . This is unnecessary but it will simplify the exposition, while keeping the essential facts.
6.1. Reduction to LWE
Let be a -basis of such that its reduction modulo , , is an -basis of . Given , multiplication by is an -linear map described by a matrix with respect to . Hence, a public key has attached the pair , where s and e are, respectively, the coordinates of and with respect to , which implies that one RLWE sample carries LWE samples. A first attack is based on Case 2 in Section 3.2: if the -th error coordinate with respect to does not wrap around , namely, if is small enough, we have errorless LWE in the -th row of , and with enough samples we can recover with high probability.
Let now a prime ideal above of norm and let be a Gaussian distribution over . Given RLWE samples where and taken from , we can reduce them modulo to obtain samples , with with , hence the secret now lies in a set of size . The following analysis is due to Peikert (cf. [32] Section 3.2) and yields a potentially successful attack when is not too large:
Since reduction modulo takes uniform samples onto uniform samples, if modulo is detectably non-uniform, we have an attack against decission RLWE.
- 2.
If has one or more coefficients that do not wrap around , then we can attack search RLWE by reducing to errorless LWE and try arbitrarily many samples.
In all cases (both in LWE and RLWE), the insecurity of an instantiation is due to the fact that the error distribution is insufficiently well spread relative to the ring geometry, so, as in Section 3.2, the main lesson to learn here is that the error distribution should be taken with parameters as close as possible to those for which the the hardness theorem works (Theorem 9).
6.2. Reduction and attack to PLWE
A first fact to mention is that at the time of writing, there is no direct attack against RLWE, i.e., without a reduction to an attack on PLWE or LWE, as described in the previous subsection. So, all the attacks presented here attemp at breaking PLWE first and then to reduce RLWE to PLWE.
Theorem 6.1** (Elias et al. [18]).**
If satisfies the following six conditions, there is a polynomial time attack to the search version of the associated RLWE scheme:
* is Galois of degree .*
- 2.
The ideal splits totally in .
- 3.
* is monogenic, i.e, .*
- 4.
The transformation between the canonical embedding of and the power basis representation of is given by a scaled orthogonal matrix.
- 5.
If is the minimal polynomial of , then .
- 6.
The prime can be chosen suitably large.
The first two conditions are sufficient for the RLWE search-to-decision reduction in the case where , which is implied by the third condition. The third and fourth conditions are sufficient for the RLWE-to-PLWE reduction; indeed, the fourth condition can be relaxed to require that the condition number of the matrix describing the transformation between the embeddings is at most polynomial in , as we discussed in the previous section.
Finally, the last two conditions are sufficient for the attack on PLWE. Unfortunately (for the attacker’s point of view), it is difficult to construct number fields satisfying all six conditions simultaneously. Next, we explain the attack on PLWE if 5 and 6 hold.
Setting a s usual , fix a public key and a secret key , i.e with sampled from the discrete Gaussian .
For each root of , consider the projection given by . By short vector in we refer to those with small coefficients, which in practice means that these are upper bounded, in absolute value, by . For suitable parameter, these short vectors lie inside a prescribed region with non-negligible probability and are easy to recognise. However, for a pair , it is difficult to check if it exists and a short vector such that , in which case the attacker would guess that . The reason is that there are possibilities for to test, which is prohibitive.
By contrast, in a small ring like , it is easy to examine the possibilities for exhaustively: we can loop through the possibilities for , obtaining for each guess , the putative value . The Decision Problem for PLWE, then, is solved as soon as we can recognize the set of that arise from the Gaussian with high probability.
Again, this is difficult in general, but if 5 holds, i.e., if is a root of , the attacker has a chance:
Let us denote by the subset of polynomials that are produced by the Gaussian with non-negligible probability. This is a small set, due to the parameter choice. However, is also a much smaller set than and one expects that generically, or something very close. One says that in this case smears across all of .
But we are supposing that . The polynomials have small coefficients, and hence have small images . This is simply because is much smaller than , due to 6, so that the sum of small coefficients is still small modulo . These ideas can be turned into the following algorithm:
Algorithm 6.2**.**
Suppose . The input is a collection of pairs , where each sample is drawn either uniformly at random or from the PLWE distribution . The output is to decide, for each sample, from which distribution is taken, with non-negligible probability. The algorithm is as follows:
- 1
For to do
-
Set . This is the first guess for , which will be updated after each iteration.
-
2
For each do
- 2.1
Compute ;
- 2.2
If is not small in absolute value modulo q, then conclude that the sample cannot be valid for with nonnegligible probability, and update ;
- Next ;
- 3
If , conclude that the sample was random, otherwise declare the sample as valid;
- Next i;
Remark 6.3*.*
Notice that in the inner loop, if the sample is valid, then , and if is the variance of (which is spherical with respect to our embedding, fixed beforehand), then, is sampled from a discrete Gaussian distribution of zero mean and parameter . The region of non-negligible probability for this Gaussian, can be taken to be
[TABLE]
Notice that the cyclotomic cases are protected against this attack: is never a root modulo of a cyclotomic polynomial of degree greater than 1 when is sufficiently large. However, with minor modifications, it is possible to extend the former attack to the case where has small order modulo . Indeed, denote by the order of modulo . For an unknown polynomial , to decide from a known value if is sampled from a Gaussian distribution in a similar fashion as in Remark 6.3 is more complicated. However, one can still take advantage of a small , as we explain next.
For , set with . Define for and write
[TABLE]
If is sampled from a multivariate Gaussian with variance very close to , then each term is sampled from a 1-dimensional Gaussian of variance very close to . This defines a smallness region , which can be pre-stored as a look-up table
[TABLE]
to look at, in order to guess tentative values of . With this observation, we can derive the following algorithm:
Algorithm 6.4**.**
Suppose . The input is a collection of pairs , where each sample is drawn either uniformly at random or from the PLWE distribution . The output is to decide, for each sample, from which distribution is taken, with non-negligible probability. The algorithm is as follows:
- 1
For to do
-
Set ;
-
2
For each do
- 2.1
Compute ;
- 2.2
If , then conclude that the sample cannot be valid for with nonnegligible probability, and update ;
- Next ;
- 3
If , conclude that the sample was random, otherwise declare the sample as valid;
- Next i;
Remark 6.5*.*
The third attack described in [18] is based on the size of the residue of modulo . Although here the errors may take on all values in , it may still be possible to notice if the distribution of samples is not uniform. The attacking algorithm is built on a delicate probability bound in the case that and the order of modulo is not small. For example, this third attack is successful for any irreducible polynomial of degree , with of the order of , and .
6.3. Some number theoretical open questions motivated by attacks on PLWE
As seen before, being simultaneously Galois and monogenic, having as a root of the minimal polynomial modulo (or some other root of small order) and the non-smearing under the evaluation map of the set of small vectors in can be regarded as weakness conditions to build a RLWE-based cryptosystem. We give next a list of number theoretical problems which are motivated by the search of security in RLWE-based primitives and are still open, up to date.
Question 6.6**.**
Are there any fields of cryptographic size (i.e. ) which are Galois and monogenic, other than the cyclotomic number fields and their maximal real subfields? How can one construct such fields explicitly? Is it possible to test algorithmically both features?
Notice that for fields of cryptographic size, the discriminant is too big to test whether or not it is square free, hence to decide if it is monogenic. An algorithmic approach which circumvects this testing is not available at the time of writing. Although for fields of small degree, a complete characterisation may be feasible (sufficient and necessary conditions for a cubic number field have been found by Gras and Archinard), the situation is much different for large degree fields. For instance, cyclic extensions tend to be non-monogenic:
Theorem 6.7**.**
Any cyclic extension of prime degree is non-monogenic except for the maximal real subfield of the -th cyclotomic field.
Another result in this direction is as follows:
Theorem 6.8**.**
Let 5 be relatively prime to . There are only finitely many abelian number fields of degree that are monogenic.
Question 6.9**.**
Let be a root of modulo . For which subsets it is ? Or, at least, can one determine the conditions for non-smearing, like in the case when and is a set of small vectors in ?
Finally, as seen before, polynomials with roots of small order modulo should be avoided. Again, cyclotomic polynomials are safe for attacks built on small order roots, as their roots have maximal order. The problem here is as follows:
Question 6.10**.**
For random polynomials and random primes for which has a root modulo , what can one say about the order of modulo ?
A special instance of this question is this well-known open problem:
Conjecture 6.11** (Artin).**
Each is a primitive root modulo infinitely many primes such that is not a perfect square or modulo . In fact the set of primes for which is a primitive root has density
[TABLE]
7. Ring Learning With Errors signatures, homomorphic encryption and some NIST figures
7.1. RLWE Digital Signatures
We present here a 2012 scheme by Gunyesu, Lyubashevsky and Poppelman (GLP [21]). It has some advantages over more recent efficient post-quantum digital signature proposals such as BLISS and Ring-TESLA, but although not broken, GLP as originally proposed is no longer considered to offer strong levels of security. Building on GLP, A. Chopra presented GLYPH in 2017 another RLWE digital signature schemes: a special instantiation of GLP together with certain modification in the compressing and hash functions,. It is described in [13], where a throughout analysis on its resistance to signature forgery, key-recovery, exhaustive and meet-in-the middle attacks is carried out. However, the main ideas on how to use RLWE for secure signature is already contained in GLP, hence as a first contact with the topic we have chosen this scheme.
We use the same terminology and notions as in Definition 2.3 and subsequent discussion, to which we refer the reader. This scheme uses PLWE in the cyclotomic ring with an odd prime congruent to mod or a power of .
A first difference to mention here is that instead of discrete Gaussians, the coefficients of small polynomials are sampled uniformly from modulo . This version of RLWE, is called the Compact Knapsack Problem over ideal lattices, whose decisional version backs GLP. Secondly, the lengths of signatures must not exceed a prescribed parameter , regardless of the size of the message to sign. To attain this, the scheme uses a) a hash function 111111A hash function is with fixed . In GLP/GLYPH, a common choice for is the function SHA256., which accepts bit strings of arbitrary length and returns bit strings of bounded length, and b) a function from the target of to the set of polynomials of degree with exactly of their coefficients having absolute in and the rest being zero such that the probability of mapping two hash outputs to the same sparse element is less than , where is a security parameter.
Hence, the procedure has a sampling rejection step, which ensures that the output signature is not exploitably correlated with the signer’s secret key values: if the infinity norm of a signature polynomial exceeds a fixed bound, , that polynomial will be discarded and the signing process starts again. This process will be repeated until the infinity norm of the signature polynomial is less than or equal , where is the number of non-zero coefficients allowed in acceptable polynomials.
Third, it is necessary to fix an injective map , with . Last, the maximum degree of the signature polynomials will be so that there are coefficients. Typical values for are 512, and 1024. For , GLYPH sets , and . The scheme is as follows:
Key generation:
- 1.1
Generate, uniformly, two small polynomials and . The pair is the private key.
- 1.2
Compute , with chosen uniformly at random. The public key is .
- 2.
Signature generation:
- 2.1
Input: a message and
- 2.2
Generate two small polynomials and .
- 2.3
Compute .
- 2.4
Set and .
- 2.5
Compute . The symbol denotes concatenation of strings.
- 2.6
Compute and .
- 2.7
While the infinity norms of or is greater than go to step 2.1.
- 2.8
Output: . Transmit the signature along with the message . Notice that we are not discussing here signatures of encrypted messages, which is a more sophisticated cryptographic functionality.
- 3.
Signature verification:
- 3.1
Input: .
- 3.2
Verify that the infinity norms of and do not exceed . If not, reject the signature.
- 3.3
Compute .
- 3.4
Set and .
- 3.5
Compute .
- 3.6
Output: If reject the signature, otherwise accept the signature as valid.
Notice that , hence if the signature is not tampered, hence the scheme is correct.
Remark 7.1*.*
The private key can be represented in bits of memory, and the public key can be represented in bits, which makes GLP feasible for practical implementations.
Remark 7.2*.*
Both in [13] and in the earlier [21], the application of the hash function may result unclear for a non experienced reader. The reason is that in what we have labeled steps 2.5 and 3.4, both schemes apply , defined over a binary domain, to inputs which are not binary. This point is probably not taken very seriously by the experts, for all what matters is that is a collision resistant function and, more important, that when it comes to comparing with , they can only be equal with overwhelming probability if and only if . But of course one needs to make binary the arguments and of , and this is why we have fixed the innaccuracy by resourcing to a function which injectively outputs binary strings on polynomial inputs and defined and . In [21] page 6 it is discussed how forging a signature implies finding a collision on .
7.2. RLWE Homomorphic encryption
Homomorphic encryption was first introduced by Rivest, Adleman and Dertouzos back in the 70’s ([36]), where they raised the problem of constructing a fully homomorphic scheme (a privacy homomorphism, using their phraseology). This problem was solved by Craig Gentry in 2009 in its seminal paper [20], by using ideal lattices and (essentially) a modified version of PLWE. The possibility of cheap cloud computing and distributed storage has drastically changed how business and individuals process their data and although traditional encryption like AES are very fast, to perform even simple analytics on encrypted data requires either the cloud server to access the secret keys, leading to security concerns or to download the data, decrypt and operate, which is costly. Homomorphic encryption is the solution to this challenge.
Areas where homomorphic encryption has applications include e-voting systems ([12]) and processing or computing on encrypted health, financial or other kinds of sensitive data on external servers like cloud or distributed devices.
Homomorphic and fully homomorphic encryption(FHE) has already been introduced here in Definition 2.5, and Example 2.6 provides an example of a homomorphic but not non-fully homomorphic encryption scheme.
Examples 7.3**.**
Another example of homomorphic encryption is the LWE cryptosystem. To avoid entering into technicalities, choose an odd prime , so that is invertible in . We observe that a LWE-oracle is essentially homomorphic: given a private key , two uniformly sampled vectors and two errors taken from a -valued random variable , of [math]-mean and variance , we se that
[TABLE]
Essentially means that the sum is taken from the variable , which has also [math]-mean but variance . This easy observation allows to define a homomorphic cryptosystem, which is a minor modification of Regev’s scheme presented in Section 3. However, if we keep adding encryption of data, this results in amplifying the error of the final encrypted data, and when this error passes a certain threshold, decryption becomes impossible. This implies that the length of the arithmetic circuit must be known beforehand and the parameters must be set to meet this feature.
An analogous analysis as in the previous example shows that RLWE oracles are also essentially homomorphic both in the additive and multiplicative structure, where, again, essentially means that the error of the sum/product is an amplification of the individual errors of the encrypted data, hence, RLWE provides a FHE scheme, as we see next.
Definition 7.4** (The BGV cryptosystem ([11], Section 3.4)).**
Denote , with the -th cyclotomic polynomial and set . Consider as the space of plaintexts the ring , for fixed and prime . The scheme is parametrized by a sequence of decreasing moduli such that and an -th level ciphertext is a vector .
Key generation: Chose by sampling from a discrete Gaussian such that the probability of the set is close enough to .
- 2.
Encryption/Decryption: A plaintext is encrypted to if and only if modulo equals in with for some .
Observe that adding or multiplying two i-level ciphertexts results in an -level ciphertext, so computations over level -ciphertexts are not allowed, as they cannot be decrypted. Several recent refinements to this scheme have been proposed ([22]) and the topic is still under research.
A number of open-source implementations of homomorphic encryption are available. For instance, HELib, a widely used library from IBM that implements the BGV cryptosystem, SEAL, a Microsoft version, (pronounced LOL), a Haskell library for ring-based lattice cryptography that supports FHE or PALISADE, a general lattice encryption library. it is possible to add new implementations after public review by contacting [email protected]. In sum, homomorphic encryption is already ripe for mainstream use but the lack of standardisation makes difficult to decide on which implementation to use.
7.3. NIST figures
In 2017, the American National Institute of Standards and Technology (NIST), launched an open call (https://csrc.nist.gov/Projects/Post-Quantum-Cryptography) to evaluate and standardize one or more quantum-resistant public-key cryptographic algorithms. In their own words:
The question of when a large-scale quantum computer will be built is a complicated one. While in the past it was less clear that large quantum computers are a physical possibility, many scientists now believe it to be merely a significant engineering challenge. Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.
The deadline for submission was November 30, 2017. The total number of submissions (for encryption, key exchange and signatures) was 71. In the first round, 14 submissions were attacked or withdrawn. Of the remaining 57, some of the proposals (mainly code-based ones) did merge. Taking this into account, 50 proposals remained unbroken. Some of them were found to have non-fatal attacks, which can be avoided with a right choice of parameters, also in the first round.
Of these 50 proposals: 9 were code-based, 21 lattice-based, 2 hash-based , 9 multivariate-based, 1 supersingular isogeny Diffie-Hellman (SIDH) key-exchange protocol. The remaining 8 submissions were hybrid or based on problems such as random walks (1), braids (2), Chebychev polynomials (1) or hypercomplex numbers (1).
In January 2019, a second round started and taking into account the attacks and feedback to the surviving proposals of the first round, 26 proposals have passed this new sieve. The numbers of remaining proposals (at the time of writing) within each category are listed in the following table, constructed out of data from https://www.safecrypto.eu/pqclounge/:
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe. Post-quantum key exchange: a new hope. Proceedings of the 25th USENIX Security Symposium 2016 pp 327–343
- 2[2] M. H. Alsuwaiyel. Algorithms: Design Techniques and Analysis. World Scientific, 1999.
- 3[3] S. Arora, R. Ge. New algorithms for learning in presence of errors. In Automata, Languages and Programming , pages 403–415. Springer, 2011.
- 4[4] A.S. Bang: Om ligningen Φ m ( X ) = 0 subscript Φ 𝑚 𝑋 0 \Phi_{m}(X)=0 . Nyt tidsskrift for Matematik, Afdeling B (1895), 6–12.
- 5[5] P.T. Bateman: On the size of the coefficients of the cyclotomic polynomial. Seminaire de Théorie des Nombres de Bordeaux, 11 (28) (1982) 1–18.
- 6[6] I. Blanco-Chacón. On the RLWE/PLWE equivalence for cyclotomic number fields. To appear in Applicable Algebra in Engineering, Communications and Computing , 2020 (available in arxiv: https://arxiv.org/abs/2001.10891 )
- 7[7] D. Boneh, V. Shoup. A graduate course in applied cryptography, 2020 https://crypto.stanford.edu/~dabo/cryptobook/Boneh Shoup_0_5.pdf
- 8[8] D.J. Bernstein, C. Chuengsatiansup, T. Lange, C. van Vredendaal: NTRU Prime (2016). http://eprint.iacr.org/2016/461
