Abstract
Lattice-based cryptographic scheme is constructed based on hard problems on a lattice such as the short integer solution (SIS) problem and the learning with error (LWE). However, the cryptographic scheme based on SIS or LWE is inefficient since the size of the key is too large. Thus, most cryptographic schemes use the variants of LWE and SIS with ring and module structures. Albrecht and Deo showed that there is a reduction from module-LWE (M-LWE) to ring-LWE (R-LWE) in the polynomial ring by handling the error rate and modulus. However, unlike the LWE problem, the SIS problem does not have an error rate, but there is the upper bound β on the norm of the solution of the SIS problem. In this paper, we propose the two novel reductions related to module-SIS (M-SIS) and ring-SIS (R-SIS) on a polynomial ring. We propose (i) the reduction from R-SIS q k ,m k ,β k to R-SIS q , m,β and (ii) the reduction from M-SIS to R-SIS under norm constraint of R-SIS. Combining these two results implies that R-SIS for a specified modulus and number samples is more difficult than M-SIS under norm constraints of R-SIS, which provides the range of possible module ranks for M-SIS. From the reduction we propose, contrary to the widely known belief, our result shows that there is a possibility that the security parameters of M-SIS may be less secure when it reduces to R-SIS for the theoretical reasons presented in this paper. Therefore, when generating parameters on an M-SIS structure, the theoretical security level over R-SIS also should also be checked at the same time.
Highlights
Due to the development of quantum computers, it is known that many public key cryptographic schemes such as RSA, ECC, and DSA can be broken using quantum algorithms operated over quantum computer
Many cryptographic schemes based on the short integer solution (SIS) problem introduced by Ajtai in 1996 [2] and the learning with error (LWE) problem introduced by Regev in 2005 [3], have been proposed
We propose that R-SIS with modulus q and m samples is more difficult than M-SIS with modulus qk and mk samples under some condition of the upper bound β on the norm of the solution of the R-SIS problem
Summary
Due to the development of quantum computers, it is known that many public key cryptographic schemes such as RSA, ECC (elliptic curve cryptography), and DSA (digital signature algorithm) can be broken using quantum algorithms operated over quantum computer. Many cryptographic schemes based on the short integer solution (SIS) problem introduced by Ajtai in 1996 [2] and the learning with error (LWE) problem introduced by Regev in 2005 [3], have been proposed. Cryptographic schemes based on LWE or SIS are inefficient because the size of the key is too large To overcome this problem, we use the ring-. A. CONTRIBUTION This paper proposes the reduction from M-SIS to R-SIS by using the relation between the modulus and the rank of the module under some condition of the upper bound β on the norm of the solution of R-SIS. We propose that R-SISqk ,m,β is more difficult than M-SISqk ,m,β with the same modulus and the same number of samples under some condition on the upper bound β on the norm of the solution of R-SIS. Assuming that there exists an algorithm for solving R-SIS, we may find the M-SIS parameter that may break the collision-resistant condition through our proposed method
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
