The Security of Learning With Errors: A Post-Quantum Cryptosystem
Additional Funding Sources
This research, conducted at the Complexity Across Disciplines Research Experience for Undergraduates site, was supported by the National Science Foundation under Grant No. DMS-1659872 and by Boise State University.
Abstract
Certain attacks on the Ring Learning with Errors (RLWE) post-quantum cryptosystem rely on reduction to the Polynomial Learning with Errors (PLWE) problem.
In this work, we answer questions posed recently by Y. Elias and others regarding the concepts of spectral distortion and smearing that are used as conditions for a successful attack.
The spectral distortion of an n ✕ n matrix M is defined as ‖M‖2/det(M)1/n, where M is a matrix derived from the Minkowski embedding of a number field K, and is used to bound the error when moving between problem instances.
We show that if K = ℚ(ζn) for ζn, a primitive n-th root of unity, then MH M is a structured symmetric Toeplitz matrix.
Moreover, we provide a closed form for the spectral distortion when n = 2ipj for i, j ≥ 0 and prime p.
We say that a map πα : Pq → 𝔽q, g(α) smears if π(S) = 𝔽q, where Pq = 𝔽q[x]/(f(x)), f(x) is a monic irreducible polynomial over ℤ that splits completely over 𝔽q, f(α) = 0, and S ⊂ Pq.
When πα does not smear, a PLWE problem instance is susceptible to attacks.
We provide an estimation on the probability of smearing as a function of |S| and the distribution from which elements of Pq are sampled.
The Security of Learning With Errors: A Post-Quantum Cryptosystem
Certain attacks on the Ring Learning with Errors (RLWE) post-quantum cryptosystem rely on reduction to the Polynomial Learning with Errors (PLWE) problem.
In this work, we answer questions posed recently by Y. Elias and others regarding the concepts of spectral distortion and smearing that are used as conditions for a successful attack.
The spectral distortion of an n ✕ n matrix M is defined as ‖M‖2/det(M)1/n, where M is a matrix derived from the Minkowski embedding of a number field K, and is used to bound the error when moving between problem instances.
We show that if K = ℚ(ζn) for ζn, a primitive n-th root of unity, then MH M is a structured symmetric Toeplitz matrix.
Moreover, we provide a closed form for the spectral distortion when n = 2ipj for i, j ≥ 0 and prime p.
We say that a map πα : Pq → 𝔽q, g(α) smears if π(S) = 𝔽q, where Pq = 𝔽q[x]/(f(x)), f(x) is a monic irreducible polynomial over ℤ that splits completely over 𝔽q, f(α) = 0, and S ⊂ Pq.
When πα does not smear, a PLWE problem instance is susceptible to attacks.
We provide an estimation on the probability of smearing as a function of |S| and the distribution from which elements of Pq are sampled.
Comments
T31