Wikipedia

Ring learning with errors: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Cryptocat (talk | contribs)
55 edits
No edit summary
Cryptocat (talk | contribs)
55 edits
changed notation
Line 10:
 
== Trapdoor Free Lattice Signature (TFLS) ==
T
 
In this signature algorithm, we will be working in a ring (R) of polynomials of degree n with coefficients in the finite field Fq. We will follow the work of Gunesyu, Lyubashevsy, and Poppleman<ref name=":1" /> as well as that of Singh<ref name=":2" /> closely. Let q be prime and n be a power of 2.
Line 16 ⟶ 15:
=== Definitions: ===
Let
* R<sub>n,q</sub> be the ring of polynomials with degree less than n and with coefficients in F<sub>q</sub> with q a prime.
* a be a fixed publicly known polynomial in R<sub>n,q</sub>
* b be an integer less than q which serves as a bound for polynomial coefficients over the integers
* s<sub>1</sub> be a randomly chosen secret polynomial in R<sub>n,q</sub>
* s<sub>21</sub> be a randomly chosen secret polynomial in R<sub>n.q</sub> with coefficients inchosen thebetween set (-1,0,1b) and (+b)
* s<sub>12</sub> be a randomly chosen secret polynomial in R<sub>n,q</sub> with coefficients chosen between (-b) and (+b)
* the bounded polynomials s<sub>1</sub> and s<sub>2</sub> be the long term private signing key
* t = (a)(s<sub>1</sub>)+s<sub>2</sub> be the long term public key for verification
* r<sub>1</sub> be a randomly chosen secret polynomial in R<sub>n,q</sub> with coefficients chosen between (-b) and (+b)
* r<sub>2</sub> be a randomly chosen secret polynomial in R<sub>n,q</sub> with coefficients inchosen thebetween set (-1,0,1b) and (+b)
* the bounded polynomials r<sub>1</sub> and r<sub>2</sub> be the short term (per signature) private signing key
 
* H(a,b) be a hash function which maps strings a and b to polynomials in Rn,qR with the property that all but 32j coefficients are 0 and the remaining coefficients are either 1 or -1.
 
Another parameter, an integer k, will be crucial to the security of the signatures scheme. Related to the definition of the hash function H(a,b), k will be chosen so that k-32j will define an "acceptance bound" for the polynomials created as the signature of the message. The coefficients of the signature polynomial will need to be between -(k-32j) and +(k+32j). If the coefficients of the computed polynomials are not in this range, the signature is "rejected" and the signing process starts over. This process is known as rejection sampling.
 
=== Signature Generation: ===
Line 38:
* Compute z<sub>1</sub> = (s<sub>1</sub>)(c)+r<sub>1</sub>
* Compute z<sub>2</sub> = (s<sub>2</sub>)(c)+r<sub>2</sub>
* If either z<sub>1</sub> or z<sub>2</sub> have coefficients outside the range -(k-32j) to +(k+32j) reject the signature and generate new values for r<sub>1</sub> and r<sub>2</sub>
If z<sub>1</sub> and z<sub>2</sub> have coefficients in the correct range, accept the polynomials, c, z<sub>1</sub>, and z<sub>2</sub> as the signature and transmit them, along with the message, to the verifier.
 
Retrieved from "https://en.wikipedia.org/wiki/Ring_learning_with_errors"