Abstract
There exists a natural trade-off in public key encryption (PKE) schemes based on ring learning with errors (RLWE), namely: we would like a wider error distribution to increase the security, but it comes at the cost of an increased decryption failure rate (DFR). A straightforward solution to this problem is the error-correcting code, which is commonly used in communication systems and already appears in some RLWE-based proposals. However, applying error-correcting codes to those cryptographic schemes is far from simply installing an add-on. Firstly, the residue error term derived by decryption has correlated coefficients, whereas most prevalent error-correcting codes with remarkable error tolerance assume the channel noise to be independent and memoryless. This explains why only simple error-correcting methods are used in existing RLWE-based PKE schemes. Secondly, the residue error term has correlated coefficients leaving accurate DFR estimation challenging even for uncoded plaintext. It can be found in the literature that a tighter DFR estimation can effectively create a DFR margin. Thirdly, most error-correcting codes are not well designed for safety considerations, e.g., syndrome decoding has a nonconstant time nature. A code good at error correcting might be weak under a variety of attacks. In this work, we propose a polar coding scheme for RLWE-based PKE. A relaxed “independence” assumption is used to derive an uncorrelated residue noise term, and a wireless communication strategy, outage, is used to construct polar codes. Furthermore, some knowledge about the residue noise is exploited to improve the decoding performance. With the parameterization of NewHope Round 2, the proposed scheme creates a considerable DRF margin, which gives a competitive security improvement compared to state-of-the-art benchmarks. Specifically, the security is improved by , while a DFR of is achieved a for code rate pf 0.25, 12,289, and binomial parameter . Moreover, polar encoding and decoding have a quasilinear complexity and intrinsically support constant-time implementations.
Highlights
Their quantum security relies on the worst-case approximate shortest independent vector problem (SIVP), and they give better efficiency compared to plain LWE because of the ring structure
A tighter upper bound on the decryption failure rate (DFR) is derived, which is less than 2−418 for n = 1024 and 2−399 for n = 512
Theorem 2 gives the upper bound on the decoding error probability
Summary
The ring LWE (RLWE) problem was firstly introduced in 2010 [1], expanding on the classical version of the problem (i.e., LWE) introduced by Regev in [2]. Key establishment mechanisms based on RLWE, for example NewHope [3], are among the most attractive postquantum proposals. Their quantum security relies on the worst-case approximate shortest independent vector problem (SIVP), and they give better efficiency compared to plain LWE because of the ring structure. One topic of pressing importance is to refine such schemes for better efficiency and security. We focus on the issue of error correcting for RLWE-based public key encryption
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
