论文信息 - Module-LWE versus Ring-LWE, Revisited

Module-LWE versus Ring-LWE, Revisited

Till now, the only reduction from the module learning with errors problem (MLWE) to the ring learning with errors problem (RLWE) is given by Albrecht et al. in ASIACRYPT 2017. Reductions from search MLWE to search RLWE were satisfactory over power-of-2 cyclotomic fields with relative small increase of errors. However, a direct reduction from decision MLWE to decision RLWE leads to a super-polynomial increase of errors and does not work even in the most special cases-power-of-2 cyclotomic fields. Whether we could reduce decision MLWE to decision RLWE and whether similar reductions could also work for general fields are still open. In this paper, we give a reduction from decision MLWE with module rank d and computation modulus q in worstcase to decision RLWE with modulus q in average-case over any cyclotomic field. Our reduction increases the LWE error rate by a small polynomial factor. As a conclusion, we obtain an efficient reduction from decision MLWE with modulus q ≈ Õ(n) and error rate α ≈ Õ(n−4.25) in worstcase to decision RLWE with error rate Γ ≈ Õ(n− 1 2 ) in average-case, hence, we get a reduction from worst-case module approximate shortest independent vectors problem (SIVPγ) with approximation parameter γ ≈ Õ(n) to corresponding average-case decision RLWE problems. Meanwhile, our result shows that the search variant reductions of Albrecht et al. could work in arbitrary cyclotomic field as well. We also give an efficient self-reduction of RLWE problems and a converse reduction from decision MLWE to module SIVPγ over any cyclotomic field as improvements of relative results showed by Rosca et al. in EUROCRYPT 2018 and Langlois et al. [DCC 15]. Our methods can also be applied to more general algebraic fields K, as long as we can find a good enough basis of the dual R∨ of the ring of integers of K.

Yang Wang | Mingqiang Wang

[1] Chris Peikert,et al. Privately Constraining and Programming PRFs, the LWE Way , 2017, IACR Cryptol. ePrint Arch..

[2] Ron Steinfeld,et al. Making NTRUEncrypt and NTRUSign as Secure as Standard Worst-Case Problems over Ideal Lattices , 2013, IACR Cryptol. ePrint Arch..

[3] Chris Peikert,et al. Limits on the Hardness of Lattice Problems in ℓp Norms , 2008, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[4] Yang Wang,et al. CRPSF and NTRU Signatures over cyclotomic fields , 2018, IACR Cryptol. ePrint Arch..

[5] Vinod Vaikuntanathan,et al. Private Constrained PRFs (and More) from LWE , 2017, TCC.

[6] Damien Stehlé,et al. CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[7] Erdem Alkim,et al. Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[8] Abhishek Banerjee,et al. Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[9] Yang Wang,et al. Provably Secure NTRUEncrypt over Any Cyclotomic Field , 2018, SAC.

[10] Ronald Cramer,et al. Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[11] Damien Stehlé,et al. Approx-SVP in Ideal Lattices with Pre-processing , 2019, IACR Cryptol. ePrint Arch..

[12] David J. Wu,et al. Watermarking PRFs from Lattices: Stronger Security via Extractable PRFs , 2019, IACR Cryptol. ePrint Arch..

[13] Chris Peikert,et al. On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[14] Oded Regev,et al. Lattice-Based Cryptography , 2006, CRYPTO.

[15] Ron Steinfeld,et al. Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance , 2015, Journal of Cryptology.

[16] Ron Steinfeld,et al. Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[17] Ronald Cramer,et al. Short Stickelberger Class Relations and Application to Ideal-SVP , 2016, EUROCRYPT.

[18] Craig Gentry,et al. Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[19] Damien Stehlé,et al. Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[20] Chris Peikert,et al. A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[21] W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers , 1993 .

[22] Chris Peikert,et al. An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[23] Craig Gentry,et al. (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[24] Daniele Micciancio. Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[25] David J. Wu,et al. Watermarking Cryptographic Functionalities from Standard Lattice Assumptions , 2017, Journal of Cryptology.

[26] Léo Ducas,et al. Efficient Identity-Based Encryption over NTRU Lattices , 2014, ASIACRYPT.

[27] Daniele Micciancio,et al. Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[28] Craig Costello,et al. Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[29] Léo Ducas,et al. Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[30] Damien Stehlé,et al. On the Ring-LWE and Polynomial-LWE problems , 2018, IACR Cryptol. ePrint Arch..

[31] Damien Stehlé,et al. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[32] Oded Regev,et al. On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[33] Brent Waters,et al. Constrained Pseudorandom Functions for Unconstrained Inputs , 2016, EUROCRYPT.

[34] Chris Peikert,et al. Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[35] Chris Peikert,et al. Pseudorandomness of ring-LWE for any ring and modulus , 2017, STOC.

[36] Chris Peikert,et al. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[37] Martin R. Albrecht,et al. Large Modulus Ring-LWE ≥ Module-LWE , 2017, ASIACRYPT.

[38] David Cash,et al. Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[39] Damien Stehlé,et al. Classical hardness of learning with errors , 2013, STOC '13.