Ring learning with errors: Difference between revisions

Ring Learning with Errors (RLWE) is a [[computational problem]] which serves as the foundation of new cryptographic algorithms designed to protect against cryptanalysis by [[quantum computers]] and also to provide the basis for [[homomorphic encryption]]. RLWE is more properly called Learning''learning with Errorserrors over Ringsrings'' and is simply the larger [[Learninglearning with errors|Learning with Errors]] (LWE) problem specialized to [[polynomial ringsring]]s over finite fields.<ref name=":0" /> Because of the presumed difficulty of solving the RLWE problem even on a quantum computer, RLWE based cryptography may form the fundamental base for [[Publicpublic-key cryptography|public key cryptography]] in the future just as the [[integer factorization]] and [[discrete logarithm]] problem have served as the base for public key cryptography since the early 1980's1980s.<ref name=":2">{{Cite book|publisher = Springer International Publishing|isbn = 978-3-319-11658-7|pages = 197–219|series = Lecture Notes in Computer Science|first = Chris|last = Peikert|editor-first = Michele|editor-last = Mosca|doi = 10.1007/978-3-319-11659-4_12|title = Post-Quantum Cryptography|volume = 8772|year = 2014|chapter = Lattice Cryptography for the Internet|citeseerx = 10.1.1.800.4743| s2cid=8123895 }}</ref> An important feature of basing cryptography on the Ringring Learninglearning with Errorserrors problem is the fact that the solution to the RLWE problem iscan reduciblebe used to thesolve NP-Harda version of the [[Shortestshortest vector problem|Shortest Vector Problem]] (SVP) in a Lattice.lattice (a Hencepolynomial-time areduction solutionfrom tothis the RLWESVP problem would imply a solution to athe wholeRLWE classproblem ofhas presumedbeen hardpresented<ref computationalname=":0" problems/>).

=== Background ===

The security of modern cryptography, in particular Public[[public-key Key Cryptographycryptography]], is based on the difficultyassumed intractability of solving certain computational problems believed to be intractable if the size of the problem is large enough and the instance of the problem to be solved is chosen randomly. The classic example that has been used since the 1970's1970s is the [[integer factorization]] problem. It is believed that it is computationally intractable to factor the product of two prime numbers if those prime numbers are large enough and chosen at random.<ref>{{cite conference |title=Algorithms for quantum computation: discrete logarithms and factoring |first=Peter |last=Shor |date=20 November 1994 |conference=35th Annual Symposium on Foundations of Computer Science |publisher=IEEE |___location=Santa Fe |isbn=0-8186-6580-7 |doi=10.1109/SFCS.1994.365700 |quote=This paper gives Las Vegas algorithms for finding discrete logarithms and factoring integers on a quantum computer that take a number of steps which is polynomial in the input size, e.g., the number of digits of the integer to be factored. These two problems are generally considered hard on a classical computer and have been used as the basis of several proposed cryptosystems.}}</ref> As of 2015 research has led to the factorization of the product of two 384-bit primes but not the product of two 512-bit primes. [[Integer factorization]] forms the basis of the widely used [[RSA (cryptosystem)|RSA]] cryptographic algorithm.

The Ringring Learninglearning with Errorserrors (RLWE) problem is built on the arithmetic of [[polynomials]] with coefficients from a [[finite field]].<ref name=":0" /> A typical polynomial <math display="inline">a(x)</math> is expressed as:

:<math>a(x) = a_0 + a_1x + a_2x^2 + ...\ldots + a_{n-2}x^{n-2} + a_{n-1}x^{n-1}</math>

Polynomials can be added and multiplied in the usual fashion. In the RLWE context the coefficients of the polynomials and all operations involving those coefficients will be done in a finite field, typically the field <math display="inline">\mathbf{Z}/qZq\mathbf{Z} = F_q\mathbf{F}_q</math> for a prime integer <math display="inline">q</math>. The set of polynomials over a finite field with the operations of addition and multiplication forforms an infinite [[polynomial ring]] (<math display="inline">F_q\mathbf{F}_q[x]</math>). The RLWE context works with a finite sub-quotient ring of this infinite ring. The sub-quotient ring is typically the finite [[Quotient ring|quotient (factor) ring]] formed by reducing all of the polynomials in <math display="inline">F_q\mathbf{F}_q[x]</math> modulo an [[irreducible polynomial]] <math display="inline">\Phi(x)</math>. This finite quotient ring can be written as <math>F_q\mathbf{F}_q[x]/\Phi(x)</math> though many authors write <math>Z_q\mathbf{Z}_q[x]/\Phi(x)</math> .<ref name=":0" />

If the degree of the polynomial <math>\Phi(x)</math> is <math display="inline">n</math>, the sub-quotient ring becomes the ring of polynomials of degree less than <math>n</math> modulo <math>\Phi(x)</math> with coefficients from <math>F_q</math>. The values <math display="inline">n</math>, <math display="inline">q</math>, together with the polynomial <math>\Phi(x)</math> partially define the mathematical context for the RLWE problem.

Another concept necessary for the RLWE problem is the idea of "small" polynomials with respect to some norm. The typical norm used in the RLWE problem is known as the infinity norm (also called the [[infinityuniform norm]]). The infinity norm of a polynomial is simply the largest coefficient of the polynomial when these coefficients are viewed as integers. Hence, <math>||a(x)||_\infty = b</math> states that the [[infinity norm]] of the polynomial <math>a(x)</math> is <math>b</math>. Thus <math>b</math> is the largest coefficient of <math>a(x)</math>.

The final concept necessary to understand the RLWE problem is the generation of random polynomials in <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math> and the generation of "small" polynomials . A Thisrandom polynomial is easily donegenerated by simply randomly sampling the <math>n</math> coefficients of the polynomial from <math>F_q\mathbf{F}_q</math>, where <math>F_q\mathbf{F}_q</math> is typically represented as the set: <math>(\{-(q-1)/2, ..., -1, 0, 1, ..., (q-1)/2)\}</math>.

ToRandomly randomly generategenerating a "small" polynomial weis selectdone aby boundgenerating the coefficients forof the infinitypolynomial norm,from <math>b<<q\mathbf{F}_q</math> andin thena randomlyway samplethat theeither nguarantees coefficientsor frommakes thevery set:likely <math>(-b,small coefficients..., -1,When 0, 1, ..., b)</math>. A typical value for <math>bq</math> is 1,a soprime theinteger, coefficientsthere are simplytwo chosencommon fromways to -1,do 0, and 1.this:

=== The RLWE Problemproblem ===

The RLWE problem can be stated in two different ways.: One is called thea "Searchsearch" version and the other is thea "Decisiondecision" version. TheBoth Searchbegin canwith bethe statedsame as followsconstruction. Let

* <math>a_i(x)</math> be a set of random but '''known''' polynomials from <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math> with coefficients from all of <math>F_q\mathbf{F}_q</math>.

* <math>e_i(x)</math> be a set of small random and '''unknown''' polynomials relative to a bound <math>b</math> in the ring <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math> .

* <math>s(x)</math> be a small '''unknown''' polynomial relative to a bound <math>b</math> in the ring <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math>.

* <math>b_i(x) = (a_i(x)\cdot s(x)) + e_i(x)</math>.

<nowiki>The Search version entails finding the unknown polynomial <math>s(x)</nowikimath>Given given the list of polynomial pairs <math>( a_i(x), b_i(x) )</math> find the unknown polynomial <math>s(x)</math>.

Using the same definitions, theThe Decision version of the problem can be stated as follows. Given a list of polynomial pairs <math>( a_i(x), b_i(x) )</math>, determine whether the <math>b_i(x)</math> polynomials were constructed as <math>b_i(x) = (a_i(x)\cdot s(x)) + e_i(x)</math> or were generated randomly from <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math> with coefficients from all of <math>F_q\mathbf{F}_q</math>.

The difficulty of this problem is parameterized by the choice of the quotient polynomial ( <math>\Phi(x)</math> ), its degree (<math>n</math>), the field (<math>F_q\mathbf{F}_q</math>), and the smallness bound (<math>b</math>). In many RLWE based public key algorithms the private key will be a pair of small polynomials <math>s(x)</math> and <math>e(x)</math>. The corresponding public key will be a pair of polynomials <math>a(x)</math>, selected randomly from <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math>, and the polynomial <math>t(x)= (a(x)\cdot s(x)) + e(x)</math>. Given <math>a(x)</math> and <math>t(x)</math>, it should be computationally infeasible to recover the polynomial <math>s(x)</math> .

=== Security Reductionreduction ===

In cases where the polynomial <math>\Phi(x)</math> is a cyclotomic polynomial, theThe difficulty of solving the search version of RLWE problem is equivalent to finding a short vector (but not necessarily the shortest) vector) in an ideal lattice formed from elements of <math>\mathbf{Z}[x]/\Phi(x)</math> represented as integer vectors.<ref name=":0">{{Cite journal|title = On Ideal Lattices and Learning with Errors Over Rings|url = http://eprint.iacr.org/2012/230|date = 2012|firstfirst1 = Vadim|lastlast1 = Lyubashevsky|first2 = Chris|last2 = Peikert|first3 = Oded|last3 = Regev| journal=Cryptology ePrint Archive }}</ref> This problem is commonly known as the [[Shortest vector problem|Approximate Shortest Vector Problem (α-SVP)]] and it is the problem of finding a vector shorter than α times the shortest vector. The authors of the proof for this equivalence write:

:''"... we give a quantum reduction from approximate SVP (in the worst case) on ideal lattices in <math>\mathbf{R}</math> to the search version of ring-LWE, where the goal is to recover the secret <math>s ∈\in \mathbf{R<sub>q}_q</submath> (with high probability, for any <math>s</math>) from arbitrarily many noisy products."''<ref name=":0" />

In that quote, The ring <math>\mathbf{R}</math> is <math>\mathbf{Z}[x]/\Phi(x)</math> and the ring R<submath>q\mathbf{R}_q</submath> is <math>Z_q\mathbf{F}_q[x]/\Phi(x)</math>.

The α-SVP in regular lattices is known to be [[NP-hard]] due to work by Daniele Micciancio in 2001, although not for values of α required for a reduction to general learning with errors problem.<ref name=":1">{{Cite journal|title = The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant|url = http://epubs.siam.org/doi/abs/10.1137/S0097539700373039|journal = SIAM Journal on Computing|date = January 1, 2001|issn = 0097-5397|pages = 2008-20352008–2035|volume = 30|issue = 6|doi = 10.1137/S0097539700373039|first = D.|last = Micciancio|citeseerx = 10.1.1.93.6646}}</ref> However, there is not yet a proof to show that the difficulty of the α-SVP for ideal lattices is equivalent to the average α-SVP. Rather we have a proof that if there are '''ANY'any'' α-SVP instances that are hard to solve in ideal lattices then the RLWE Problem will be hard in random instances. <ref name=":0" />

Regarding the difficulty of Shortest Vector Problems in Ideal Lattices, researcher Michael Schneider writes, ''"So far there is no SVP algorithm making use of the special structure of ideal lattices. It is widely believed that solving SVP (and all other lattice problems) in ideal lattices is as hard as in regular lattices ."''<ref>{{Cite journal|title = Sieving for Shortest Vectors in Ideal Lattices|url = http://eprint.iacr.org/2011/458|date = 2011|first = Michael|last = Schneider| journal=Cryptology ePrint Archive }}</ref> The difficultdifficulty of these problems on regular lattices is provably [[NP-hard]].<ref name=":1" /> There are, however, a minority of researchers who do not believe that ideal lattices share the same security properties as regular lattices.<ref>{{Cite web|title = cr.yp.to: 2014.02.13: A subfield-logarithm attack against ideal lattices|url = http://blog.cr.yp.to/20140213-ideal.html|website = blog.cr.yp.to|access-date = 2015-07-03}}</ref>