Advertisement

Order-LWE and the Hardness of Ring-LWE with Entropic Secrets

  • Madalina BolboceanuEmail author
  • Zvika Brakerski
  • Renen Perlman
  • Devika Sharma
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11922)

Abstract

We propose a generalization of the celebrated Ring Learning with Errors (RLWE) problem (Lyubashevsky, Peikert and Regev, Eurocrypt 2010, Eurocrypt 2013), wherein the ambient ring is not the ring of integers of a number field, but rather an order (a full rank subring). We show that our Order-LWE problem enjoys worst-case hardness with respect to short-vector problems in invertible-ideal lattices of the order.

The definition allows us to provide a new analysis for the hardness of the abundantly used Polynomial-LWE (PLWE) problem (Stehlé et al., Asiacrypt 2009), different from the one recently proposed by Rosca, Stehlé and Wallet (Eurocrypt 2018). This suggests that Order-LWE may be used to analyze and possibly design useful relaxations of RLWE.

We show that Order-LWE can naturally be harnessed to prove security for RLWE instances where the “RLWE secret” (which often corresponds to the secret-key of a cryptosystem) is not sampled uniformly as required for RLWE hardness. We start by showing worst-case hardness even if the secret is sampled from a subring of the sample space. Then, we study the case where the secret is sampled from an ideal of the sample space or a coset thereof (equivalently, some of its CRT coordinates are fixed or leaked). In the latter, we show an interesting threshold phenomenon where the amount of RLWE noise determines whether the problem is tractable.

Lastly, we address the long standing question of whether high-entropy secret is sufficient for RLWE to be intractable. Our result on sampling from ideals shows that simply requiring high entropy is insufficient. We therefore propose a broad class of distributions where we conjecture that hardness should hold, and provide evidence via reduction to a concrete lattice problem.

Keywords

Ring-LWE Lattice problems Entropic secrets 

Notes

Acknowledgments

We thank the anonymous referees for their insightful comments and useful suggestions.

References

  1. 1.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00457-5_28CrossRefzbMATHGoogle Scholar
  2. 2.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)Google Scholar
  3. 3.
    Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time. In: Canetti and Garay [16], pp. 1–20zbMATHGoogle Scholar
  4. 4.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_35CrossRefGoogle Scholar
  5. 5.
    Babai, L.: On lovász’lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_42CrossRefGoogle Scholar
  7. 7.
    Benhamouda, F., Krenn, S., Lyubashevsky, V., Pietrzak, K.: Efficient zero-knowledge proofs for commitments from learning with errors over rings. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 305–325. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24174-6_16CrossRefGoogle Scholar
  8. 8.
    Boneh, D., Freeman, D.M.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20465-4_10CrossRefGoogle Scholar
  9. 9.
    Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_30CrossRefGoogle Scholar
  10. 10.
    Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.): Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA 1–4 June 2013. ACM (2013)Google Scholar
  11. 11.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS, pp. 309–325. Invited to ACM Transactions on Computation Theory. ACM (2012)Google Scholar
  12. 12.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh et al. [10], pp. 575–584Google Scholar
  13. 13.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from Ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_29CrossRefGoogle Scholar
  14. 14.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) FOCS, pp. 97–106. IEEE (2011)Google Scholar
  15. 15.
    Brakerski, Z., Vaikuntanathan, V., Wee, H., Wichs, D.: Obfuscating conjunctions under entropic ring LWE. In: Sudan, M. (ed.) Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, 14–16 January 2016, pp. 147–156. ACM (2016)Google Scholar
  16. 16.
    Canetti, Ran, Garay, Juan A. (eds.): CRYPTO 2013. LNCS, vol. 8042. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4CrossRefzbMATHGoogle Scholar
  17. 17.
    Conrad, K.: The conductor ideal. Expository papers/Lecture notes. http://www.math.uconn.edu/~kconrad/blurbs/gradnumthy/conductor.pdf
  18. 18.
    Conrad, K.: The different ideal. Expository papers/Lecture notes. http://www.math.uconn.edu/~kconrad/blurbs/gradnumthy/different.pdf
  19. 19.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_2CrossRefGoogle Scholar
  20. 20.
    Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11799-2_22CrossRefGoogle Scholar
  21. 21.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti and Garay [16], pp. 40–56CrossRefGoogle Scholar
  22. 22.
    Gentry, C., Halevi, S., Peikert, C., Smart, N.P.: Field switching in BGV-style homomorphic encryption. J. Comput. Secur. 21(5), 663–684 (2013)CrossRefGoogle Scholar
  23. 23.
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_49CrossRefGoogle Scholar
  24. 24.
    Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption. In: Yao, A.C. (ed.) Innovations in Computer Science - ICS 2010, Tsinghua University, Beijing, China, 5–7 January 2010. Proceedings, pp. 230–240. Tsinghua University Press (2010)Google Scholar
  25. 25.
    Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh et al. [10], pp. 545–554Google Scholar
  26. 26.
    Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_31CrossRefzbMATHGoogle Scholar
  27. 27.
    Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_25CrossRefGoogle Scholar
  28. 28.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W.: Practical signatures from the partial fourier recovery problem. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 476–493. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-07536-5_28CrossRefGoogle Scholar
  29. 29.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054868CrossRefGoogle Scholar
  30. 30.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006).  https://doi.org/10.1007/11787006_13CrossRefGoogle Scholar
  31. 31.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_1CrossRefGoogle Scholar
  32. 32.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for Ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_3CrossRefGoogle Scholar
  33. 33.
    Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti and Garay [16], pp. 21–39Google Scholar
  34. 34.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. (ed.) STOC, pp. 333–342. ACM (2009)Google Scholar
  35. 35.
    Peikert, C.: How (Not) to instantiate Ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-44618-9_22CrossRefGoogle Scholar
  36. 36.
    Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. IACR Cryptology ePrint Archive 2017, vol. 258 (2017)Google Scholar
  37. 37.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006).  https://doi.org/10.1007/11681878_8CrossRefGoogle Scholar
  38. 38.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) STOC, pp. 84–93. ACM (2005). Full version in [39]Google Scholar
  39. 39.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)MathSciNetCrossRefGoogle Scholar
  40. 40.
    Rosca, M., Stehlé, D., Wallet, A.: On the Ring-LWE and Polynomial-LWE problems. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 146–173. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_6CrossRefGoogle Scholar
  41. 41.
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_36CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Madalina Bolboceanu
    • 1
    Email author
  • Zvika Brakerski
    • 2
  • Renen Perlman
    • 2
  • Devika Sharma
    • 2
  1. 1.BitdefenderBucharestRomania
  2. 2.Weizmann Institute of ScienceRehovotIsrael

Personalised recommendations