Revision as of 13:25, 13 December 2017 edit 77.232.15.89 (talk) →Background Tags: Mobile edit Mobile web edit ← Previous edit		Revision as of 12:13, 24 April 2018 edit undo 147.0.108.174 (talk) →Security Reduction Next edit →
Line 34: == Security Reduction == In cases where the polynomial <math>\Phi(x)</math> is a [[cyclotomic polynomial]], the difficulty of solving the search version of RLWE problem is equivalent to finding a short vector (but not necessarily the shortest) vector) in an ideal lattice formed from elements of <math>\mathbf{Z}[x]/\Phi(x)</math> represented as integer vectors.<ref name=":0">{{Cite journal\|title = On Ideal Lattices and Learning with Errors Over Rings\|url = http://eprint.iacr.org/2012/230\|date = 2012\|first = Vadim\|last = Lyubashevsky\|first2 = Chris\|last2 = Peikert\|first3 = Oded\|last3 = Regev}}</ref> This problem is commonly known as the [[Shortest vector problem\|Approximate Shortest Vector Problem (α-SVP)]] and it is the problem of finding a vector shorter than α times the shortest vector. The authors of the proof for this equivalence write: :''"... we give a quantum reduction from approximate SVP (in the worst case) on ideal lattices in <math>\mathbf{R}</math> to the search version of ring-LWE, where the goal is to recover the secret <math>s \in \mathbf{R}_q</math> (with high probability, for any <math>s</math>) from arbitrarily many noisy products."''<ref name=":0" />

Ring learning with errors: Difference between revisions