About two months ago we have posted a short paper on eprint sharing some thoughts on the error size used in Ring-LWE, an increasingly important hard problem that was proposed by Lyubashevsky, Peikert and Regev [LPR] as a building block for cryptography. Besides resistance against quantum computers, one of the main features of Ring-LWE for HEAT is that it enables homomorphic encryption.
Very briefly, in Ring-LWE one fixes a degree n number field K with ring of integers R and discriminant \Delta. One also fixes an integer modulus q and an error parameter r \in \mathbb{R}_{> 0}, which we think of as depending on n only. We write R_q and R_q^\vee for the reduction of R and its codifferent (or `dual') modulo q. The Ring-LWE problem is about guessing a secret \mathbf{s} \in R_q^\vee from a number of samples of the form (\mathbf{a}, \mathbf{a} \cdot \mathbf{s} + \mathbf{e} ), where \mathbf{a} \in R_q is random and \mathbf{e} is sampled from the distribution on (K \otimes \mathbb{R})/q\mathbb{Z} that one obtains by pulling back a spherical Gaussian of width r under the canonical embedding K \hookrightarrow \mathbb{R}^n.
In a recent series of papers Elias, Lauter, Ozman and Stange [ELOS], and Chen, Lauter and Stange [CLS1], [CLS2] investigated whether the existence of a homomorphism \phi : R_q \rightarrow S to some small ring S can be exploited to leak information about the secret \mathbf{s}. For instance if R_q is of the form \mathbb{Z}[x]/(q,f(x)) for some f(x) \in \mathbb{Z}[x] satisfying f(1) = 0 mod q, then \phi could be evaluation at 1: \phi : R_q \rightarrow \mathbb{F}_q: \mathbf{a} \mapsto \mathbf{a}(1).
In a previous paper (reported upon in a blogpost below) we showed that the families from [ELOS] indeed suffer from this skewness, and therefore were easy to start from. To some extent this also seems to apply to the examples from [CLS1] and [CLS2], as is discussed in the last section of our current paper, where we make a more systematic analysis of the skewness phenomenon. Our main contributions are as follows:
About a month ago Peikert posted a paper sharing similar (but more detailed) thoughts on the vulnerability of the Ring-LWE instantiations described in [ELOS], [CLS1] and [CLS2].
Wouter Castryck, Ilia Iliashenko, Frederik Vercauteren
Very briefly, in Ring-LWE one fixes a degree n number field K with ring of integers R and discriminant \Delta. One also fixes an integer modulus q and an error parameter r \in \mathbb{R}_{> 0}, which we think of as depending on n only. We write R_q and R_q^\vee for the reduction of R and its codifferent (or `dual') modulo q. The Ring-LWE problem is about guessing a secret \mathbf{s} \in R_q^\vee from a number of samples of the form (\mathbf{a}, \mathbf{a} \cdot \mathbf{s} + \mathbf{e} ), where \mathbf{a} \in R_q is random and \mathbf{e} is sampled from the distribution on (K \otimes \mathbb{R})/q\mathbb{Z} that one obtains by pulling back a spherical Gaussian of width r under the canonical embedding K \hookrightarrow \mathbb{R}^n.
In a recent series of papers Elias, Lauter, Ozman and Stange [ELOS], and Chen, Lauter and Stange [CLS1], [CLS2] investigated whether the existence of a homomorphism \phi : R_q \rightarrow S to some small ring S can be exploited to leak information about the secret \mathbf{s}. For instance if R_q is of the form \mathbb{Z}[x]/(q,f(x)) for some f(x) \in \mathbb{Z}[x] satisfying f(1) = 0 mod q, then \phi could be evaluation at 1: \phi : R_q \rightarrow \mathbb{F}_q: \mathbf{a} \mapsto \mathbf{a}(1).
Although this idea is attractive, the concrete vulnerable instances proposed by [ELOS], [CLS1], [CLS2] do not follow the original set-up from [LPR]. Instead they
- sample the secrets from the ring R_q, rather than its dual R_q^\vee,
- use an error parameter of the form |\Delta|^{1/2n}\cdot r, rather than just r.
In a previous paper (reported upon in a blogpost below) we showed that the families from [ELOS] indeed suffer from this skewness, and therefore were easy to start from. To some extent this also seems to apply to the examples from [CLS1] and [CLS2], as is discussed in the last section of our current paper, where we make a more systematic analysis of the skewness phenomenon. Our main contributions are as follows:
- We first give an informal motivation for why the most natural choice of scalar is |\Delta|^{1/n}, rather than |\Delta|^{1/2n}, if one wants to set up a non-dual version of Ring-LWE as in 1.
- Next we provide for any \varepsilon > 0 a family of number fields in which non-dual Ring-LWE can again be broken using elementary linear algebra as soon as the errors are scaled up by |\Delta|^{(1 - \varepsilon)/n} only.
- Finally we show that also the actual (i.e., dual) Ring-LWE problem is easily broken for the same families, as soon as the errors proposed by [LPR] as scaled down by |\Delta|^{\varepsilon/n}.
About a month ago Peikert posted a paper sharing similar (but more detailed) thoughts on the vulnerability of the Ring-LWE instantiations described in [ELOS], [CLS1] and [CLS2].
Wouter Castryck, Ilia Iliashenko, Frederik Vercauteren
No comments:
Post a Comment