Content deleted Content added
Neutronstar2 (talk | contribs) Tag: Reverted |
m Remove title case |
||
| (6 intermediate revisions by 4 users not shown) | |||
Line 1:
{{short description|Computational problem possibly useful for post-quantum cryptography}}
In [[post-quantum cryptography]], '''ring learning with errors''' ('''RLWE''') is a [[computational problem]] which serves as the foundation of new cryptographic [[algorithm]]s, such as [[NewHope]], designed to protect against [[cryptanalysis]] by [[quantum computers]] and also to provide the basis for [[homomorphic encryption]]. [[Public-key cryptography]] relies on construction of mathematical problems that are believed to be hard to solve if no further information is available, but are easy to solve if some information used in the problem construction is known. Some problems of this sort that are currently used in cryptography are at risk of attack if sufficiently large quantum computers can ever be built, so resistant problems are sought
RLWE is more properly called ''learning with errors over rings'' and is simply the larger [[learning with errors]] (LWE) problem specialized to [[polynomial ring]]s over finite fields.<ref name=":0" /> Because of the presumed difficulty of solving the RLWE problem even on a quantum computer, RLWE based cryptography may form the fundamental base for [[public-key cryptography]] in the future just as the [[integer factorization]] and [[discrete logarithm]] problem have served as the base for public key cryptography since the early 1980s.<ref name=":2">{{Cite book|publisher = Springer International Publishing|isbn = 978-3-319-11658-7|pages = 197–219|series = Lecture Notes in Computer Science|first = Chris|last = Peikert|editor-first = Michele|editor-last = Mosca|doi = 10.1007/978-3-319-11659-4_12|title = Post-Quantum Cryptography|volume = 8772|year = 2014|chapter = Lattice Cryptography for the Internet|citeseerx = 10.1.1.800.4743| s2cid=8123895 }}</ref> An important feature of basing cryptography on the ring learning with errors problem is the fact that the solution to the RLWE problem can be used to solve a version of the [[shortest vector problem]] (SVP) in a lattice (a polynomial-time reduction from this SVP problem to the RLWE problem has been presented<ref name=":0" />).
Line 21:
Randomly generating a "small" polynomial is done by generating the coefficients of the polynomial from <math>\mathbf{F}_q</math> in a way that either guarantees or makes very likely small coefficients. When <math>q</math> is a prime integer, there are two common ways to do this:
# Using Uniform Sampling – The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let <math display="inline">b</math> be an integer that is much less than <math display="inline">q</math>. If we randomly choose coefficients from the set: <math display="inline">\{ -b, -b+1, -b+2, \ldots , -2, -1, 0, 1, 2, \ldots , b-2, b-1, b \}</math> the polynomial will be small with respect to the bound (<math display="inline">b</math>).
# Using [[Gaussian_function#Discrete_Gaussian|discrete Gaussian sampling]] – For an odd value for <math display="inline">q</math>, the coefficients of the polynomial are randomly chosen by sampling from the set <math display="inline"> \{ -(q-1)/2, \ldots , (q-1)/2 \} </math> according to a discrete Gaussian distribution with mean <math>0</math> and distribution parameter <math display="inline">\sigma</math>. The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. The paper "Sampling from Discrete Gaussians for Lattice-Based Cryptography on a Constrained Device" by Dwarakanath and Galbraith
== The RLWE
The RLWE problem can be stated in two different ways: a "search" version and a "decision" version. Both begin with the same construction. Let
* <math>a_i(x)</math> be a set of random but '''known''' polynomials from <math>\mathbf{F}_q[x]/\Phi(x)</math> with coefficients from all of <math>\mathbf{F}_q</math>.
Line 35:
The difficulty of this problem is parameterized by the choice of the quotient polynomial (<math>\Phi(x)</math>), its degree (<math>n</math>), the field (<math>\mathbf{F}_q</math>), and the smallness bound (<math>b</math>). In many RLWE based public key algorithms the private key will be a pair of small polynomials <math>s(x)</math> and <math>e(x)</math>. The corresponding public key will be a pair of polynomials <math>a(x)</math>, selected randomly from <math>\mathbf{F}_q[x]/\Phi(x)</math>, and the polynomial <math>t(x)= (a(x)\cdot s(x)) + e(x)</math>. Given <math>a(x)</math> and <math>t(x)</math>, it should be computationally infeasible to recover the polynomial <math>s(x)</math>.
== Security
:''"... we give a quantum reduction from approximate SVP (in the worst case) on ideal lattices in <math>\mathbf{R}</math> to the search version of ring-LWE, where the goal is to recover the secret <math>s \in \mathbf{R}_q</math> (with high probability, for any <math>s</math>) from arbitrarily many noisy products."''<ref name=":0" />
Line 48:
Peikert believes that these security equivalences make the RLWE problem a good basis for future cryptography. He writes: ''"There is a mathematical proof that the'' ''only'' ''way to break the cryptosystem (within some formal attack model) on its random instances is by being able to solve the underlying lattice problem in the'' ''worst case"'' (emphasis in the original).<ref>{{Cite web |title = What does GCHQ's "cautionary tale" mean for lattice cryptography? |url = http://web.eecs.umich.edu/~cpeikert/soliloquy.html |website = www.eecs.umich.edu|access-date = 2016-01-05 |archive-url = https://web.archive.org/web/20160317165656/http://web.eecs.umich.edu/~cpeikert/soliloquy.html |archive-date = 2016-03-17}}</ref>
== RLWE
A major advantage that RLWE based cryptography has over the original
Three groups of RLWE cryptographic algorithms exist:
Line 65:
=== Ring learning with errors homomorphic encryption (RLWE-HOM) ===
{{main|Homomorphic encryption}}
Homomorphic encryption is type of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The purpose of
==References==
| |||