Abstract
Several works have characterized weak instances of the Ring-LWE problem by exploring vulnerabilities arising from the use of algebraic structures. Although these weak instances are not addressed by worst-case hardness theorems, enabling other ring instantiations enlarges the scope of possible applications and favors the diversification of security assumptions. In this work, we extend the Ring-LWE problem in lattice-based cryptography to include algebraic lattices, realized through twisted embeddings. We define the class of problems Twisted Ring-LWE, which replaces the canonical embedding by an extended form. By doing so, we allow the Ring-LWE problem to be used over maximal real subfields of cyclotomic number fields. We prove that Twisted Ring-LWE is secure by providing a security reduction from Ring-LWE to Twisted Ring-LWE in both search and decision forms. It is also shown that the twist factor does not affect the asymptotic approximation factors in the worst-case to average-case reductions. Thus, Twisted Ring-LWE maintains the consolidated hardness guarantee of Ring-LWE and increases the existing scope of algebraic lattices that can be considered for cryptographic applications. Additionally, we expand on the results of Ducas and Durmus (Public-Key Cryptography, 2012) on spherical Gaussian distributions to the proposed class of lattices under certain restrictions. As a result, sampling from a spherical Gaussian distribution can be done directly in the respective number field while maintaining its format and standard deviation when seen in via twisted embeddings.
Highlights
Lattice-based cryptography comprehends the class of cryptosystems whose security is based on the conjectured intractability of hard lattice problems such as the Shortest Independent Vectors Problem (SIVP), the Shortest Vector Problem (SVP), and the Closest VectorProblem (CVP) [1,2]
Twisted embeddings have been useful in coding theory, since they allow the construction of algebraic lattices with improved properties for Rayleigh fading channels, providing high density, maximum diversity, and great minimum product distance [33–35]
We introduce an extension to the Ring-Learning with Errors (LWE) class of problems, namely
Summary
Lattice-based cryptography comprehends the class of cryptosystems whose security is based on the conjectured intractability of hard lattice problems such as the Shortest Independent Vectors Problem (SIVP), the Shortest Vector Problem (SVP), and the Closest Vector. The Ring-LWE hardness results hold for any number field [4,9], its most used instantiation in lattice-based cryptosystems is over power-of-two cyclotomic number fields, as evidenced by the finalists of NIST’s Post-Quantum Cryptography standardization effort [10]. R = mR∨ , allowing applications to work directly on R, with no loss in their underlying worst-case hardness guarantees [4] Another advantage of power-of-two cyclotomic number fields is that the sampling of error terms can be performed directly in the ring R considering a power basis, since the transformation to the associated vector subspace H isomorphic to Rn is just a rigid rotation followed by scaling. A sequence of works has characterized weak instances of Ring-LWE and Poly-LWE problems and proposed attacks using special properties for specific parameters [15–24] Another motivation for searching for alternative number fields is the inflexibility of system parameters that grow as a power-of-two. We conjecture whether the Ring-LWE problem could be parameterized by number fields other than the cyclotomic for cryptographic applications
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
