The Security of Learning With Errors: A Post-Quantum Cryptosystem

Additional Funding Sources

This research, conducted at the Complexity Across Disciplines Research Experience for Undergraduates site, was supported by the National Science Foundation under Grant No. DMS-1659872 and by Boise State University.

Abstract

Certain attacks on the Ring Learning with Errors (RLWE) post-quantum cryptosystem rely on reduction to the Polynomial Learning with Errors (PLWE) problem.

In this work, we answer questions posed recently by Y. Elias and others regarding the concepts of spectral distortion and smearing that are used as conditions for a successful attack.

The spectral distortion of an nn matrix M is defined as ‖M2/det(M)1/n, where M is a matrix derived from the Minkowski embedding of a number field K, and is used to bound the error when moving between problem instances.

We show that if K = ℚ(ζn) for ζn, a primitive n-th root of unity, then MH M is a structured symmetric Toeplitz matrix.

Moreover, we provide a closed form for the spectral distortion when n = 2ipj for i, j ≥ 0 and prime p.

We say that a map πα : Pq → 𝔽q, g(α) smears if π(S) = 𝔽q, where Pq = 𝔽q[x]/(f(x)), f(x) is a monic irreducible polynomial over ℤ that splits completely over 𝔽q, f(α) = 0, and SPq.

When πα does not smear, a PLWE problem instance is susceptible to attacks.

We provide an estimation on the probability of smearing as a function of |S| and the distribution from which elements of Pq are sampled.

Comments

T31

This document is currently not available here.

Share

COinS
 

The Security of Learning With Errors: A Post-Quantum Cryptosystem

Certain attacks on the Ring Learning with Errors (RLWE) post-quantum cryptosystem rely on reduction to the Polynomial Learning with Errors (PLWE) problem.

In this work, we answer questions posed recently by Y. Elias and others regarding the concepts of spectral distortion and smearing that are used as conditions for a successful attack.

The spectral distortion of an nn matrix M is defined as ‖M2/det(M)1/n, where M is a matrix derived from the Minkowski embedding of a number field K, and is used to bound the error when moving between problem instances.

We show that if K = ℚ(ζn) for ζn, a primitive n-th root of unity, then MH M is a structured symmetric Toeplitz matrix.

Moreover, we provide a closed form for the spectral distortion when n = 2ipj for i, j ≥ 0 and prime p.

We say that a map πα : Pq → 𝔽q, g(α) smears if π(S) = 𝔽q, where Pq = 𝔽q[x]/(f(x)), f(x) is a monic irreducible polynomial over ℤ that splits completely over 𝔽q, f(α) = 0, and SPq.

When πα does not smear, a PLWE problem instance is susceptible to attacks.

We provide an estimation on the probability of smearing as a function of |S| and the distribution from which elements of Pq are sampled.