Ring learning with errors

In post-quantum cryptography, ring learning with errors (RLWE) is a computational problem which serves as the foundation of new cryptographic algorithms, such as NewHope, designed to protect against cryptanalysis by quantum computers and also to provide the basis for homomorphic encryption. Public-key cryptography relies on construction of mathematical problems that are believed to be hard to solve if no further information is available, but are easy to solve if some information used in the problem construction is known. Some problems of this sort that are currently used in cryptography are at risk of attack if sufficiently large quantum computers can ever be built, so resistant problems are sought. Homomorphic encryption is a form of encryption that allows computation on ciphertext, such as arithmetic on numeric values stored in an encrypted database.

RLWE is more properly called learning with errors over rings and is simply the larger learning with errors (LWE) problem specialized to polynomial rings over finite fields. Because of the presumed difficulty of solving the RLWE problem even on a quantum computer, RLWE based cryptography may form the fundamental base for public-key cryptography in the future just as the integer factorization and discrete logarithm problem have served as the base for public key cryptography since the early 1980s. An important feature of basing cryptography on the ring learning with errors problem is the fact that the solution to the RLWE problem can be used to solve a version of the shortest vector problem (SVP) in a lattice (a polynomial-time reduction from this SVP problem to the RLWE problem has been presented ).

Background
The security of modern cryptography, in particular public-key cryptography, is based on the assumed intractability of solving certain computational problems if the size of the problem is large enough and the instance of the problem to be solved is chosen randomly. The classic example that has been used since the 1970s is the integer factorization problem. It is believed that it is computationally intractable to factor the product of two prime numbers if those prime numbers are large enough and chosen at random. As of 2015 research has led to the factorization of the product of two 384-bit primes but not the product of two 512-bit primes. Integer factorization forms the basis of the widely used RSA cryptographic algorithm.

The ring learning with errors (RLWE) problem is built on the arithmetic of polynomials with coefficients from a finite field. A typical polynomial $a(x)$ is expressed as:


 * $$a(x) = a_0 + a_1x + a_2x^2 + \ldots + a_{n-2}x^{n-2} + a_{n-1}x^{n-1}$$

Polynomials can be added and multiplied in the usual fashion. In the RLWE context the coefficients of the polynomials and all operations involving those coefficients will be done in a finite field, typically the field $\mathbf{Z}/q\mathbf{Z} = \mathbf{F}_q$ for a prime integer $q$. The set of polynomials over a finite field with the operations of addition and multiplication forms an infinite polynomial ring ($\mathbf{F}_q[x]$ ). The RLWE context works with a finite quotient ring of this infinite ring. The quotient ring is typically the finite quotient (factor) ring formed by reducing all of the polynomials in $\mathbf{F}_q[x]$ modulo an irreducible polynomial $\Phi(x)$. This finite quotient ring can be written as $$\mathbf{F}_q[x]/\Phi(x)$$ though many authors write $$\mathbf{Z}_q[x]/\Phi(x)$$.

If the degree of the polynomial $$\Phi(x)$$ is $n$, the quotient ring becomes the ring of polynomials of degree less than $$n$$ modulo $$\Phi(x)$$ with coefficients from $$F_q$$. The values $n$, $q$ , together with the polynomial $$\Phi(x)$$ partially define the mathematical context for the RLWE problem.

Another concept necessary for the RLWE problem is the idea of "small" polynomials with respect to some norm. The typical norm used in the RLWE problem is known as the infinity norm (also called the uniform norm). The infinity norm of a polynomial is simply the largest coefficient of the polynomial when these coefficients are viewed as integers. Hence, $$||a(x)||_\infty = b$$ states that the infinity norm of the polynomial $$a(x)$$ is $$b$$. Thus $$b$$ is the largest coefficient of $$a(x)$$.

The final concept necessary to understand the RLWE problem is the generation of random polynomials in $$\mathbf{F}_q[x]/\Phi(x)$$ and the generation of "small" polynomials. A random polynomial is easily generated by simply randomly sampling the $$n$$ coefficients of the polynomial from $$\mathbf{F}_q$$, where $$\mathbf{F}_q$$ is typically represented as the set $$\{-(q-1)/2, ..., -1, 0, 1, ..., (q-1)/2\}$$.

Randomly generating a "small" polynomial is done by generating the coefficients of the polynomial from $$\mathbf{F}_q$$ in a way that either guarantees or makes very likely small coefficients. When $$q$$ is a prime integer, there are two common ways to do this:
 * 1) Using Uniform Sampling – The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let $b$  be an integer that is much less than $q$ . If we randomly choose coefficients from the set: $\{ -b, -b+1, -b+2, \ldots, -2, -1, 0, 1, 2, \ldots , b-2, b-1, b \}$  the polynomial will be small with respect to the bound ($b$ ).
 * 2) Using discrete Gaussian sampling – For an odd value for $q$, the coefficients of the polynomial are randomly chosen by sampling from the set $ \{ -(q-1)/2, \ldots , (q-1)/2 \} $  according to a discrete Gaussian distribution with mean $$0$$ and distribution parameter $\sigma$ . The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. The paper "Sampling from Discrete Gaussians for Lattice-Based Cryptography on a Constrained Device" by Dwarakanath and Galbraith provides an overview of this problem.

The RLWE Problem
The RLWE problem can be stated in two different ways: a "search" version and a "decision" version. Both begin with the same construction. Let The Search version entails finding the unknown polynomial $$s(x)$$ given the list of polynomial pairs $$( a_i(x), b_i(x) )$$.
 * $$a_i(x)$$ be a set of random but known polynomials from $$\mathbf{F}_q[x]/\Phi(x)$$ with coefficients from all of $$\mathbf{F}_q$$.
 * $$e_i(x)$$ be a set of small random and unknown polynomials relative to a bound $$b$$ in the ring $$\mathbf{F}_q[x]/\Phi(x)$$.
 * $$s(x)$$ be a small unknown polynomial relative to a bound $$b$$ in the ring $$\mathbf{F}_q[x]/\Phi(x)$$.
 * $$b_i(x) = (a_i(x)\cdot s(x)) + e_i(x)$$.

The Decision version of the problem can be stated as follows. Given a list of polynomial pairs $$( a_i(x), b_i(x) )$$, determine whether the $$b_i(x)$$ polynomials were constructed as $$b_i(x) = (a_i(x)\cdot s(x)) + e_i(x)$$ or were generated randomly from $$\mathbf{F}_q[x]/\Phi(x)$$ with coefficients from all of $$\mathbf{F}_q$$.

The difficulty of this problem is parameterized by the choice of the quotient polynomial ($$\Phi(x)$$), its degree ($$n$$), the field ($$\mathbf{F}_q$$), and the smallness bound ($$b$$). In many RLWE based public key algorithms the private key will be a pair of small polynomials $$s(x)$$ and $$e(x)$$. The corresponding public key will be a pair of polynomials $$a(x)$$, selected randomly from $$\mathbf{F}_q[x]/\Phi(x)$$, and the polynomial $$t(x)= (a(x)\cdot s(x)) + e(x)$$. Given $$a(x)$$ and $$t(x)$$, it should be computationally infeasible to recover the polynomial $$s(x)$$.

Security Reduction
In cases where the polynomial $$\Phi(x)$$ is a cyclotomic polynomial, the difficulty of solving the search version of RLWE problem is equivalent to finding a short vector (but not necessarily the shortest vector) in an ideal lattice formed from elements of $$\mathbf{Z}[x]/\Phi(x)$$ represented as integer vectors. This problem is commonly known as the Approximate Shortest Vector Problem (α-SVP) and it is the problem of finding a vector shorter than α times the shortest vector. The authors of the proof for this equivalence write:


 * "... we give a quantum reduction from approximate SVP (in the worst case) on ideal lattices in $$\mathbf{R}$$ to the search version of ring-LWE, where the goal is to recover the secret $$s \in \mathbf{R}_q$$ (with high probability, for any $$s$$) from arbitrarily many noisy products."

In that quote, The ring $$\mathbf{R}$$ is $$\mathbf{Z}[x]/\Phi(x)$$ and the ring $$\mathbf{R}_q$$ is $$\mathbf{F}_q[x]/\Phi(x)$$.

The α-SVP in regular lattices is known to be NP-hard due to work by Daniele Micciancio in 2001, although not for values of α required for a reduction to general learning with errors problem. However, there is not yet a proof to show that the difficulty of the α-SVP for ideal lattices is equivalent to the average α-SVP. Rather we have a proof that if there are any α-SVP instances that are hard to solve in ideal lattices then the RLWE Problem will be hard in random instances.

Regarding the difficulty of Shortest Vector Problems in Ideal Lattices, researcher Michael Schneider writes, "So far there is no SVP algorithm making use of the special structure of ideal lattices. It is widely believed that solving SVP (and all other lattice problems) in ideal lattices is as hard as in regular lattices." The difficulty of these problems on regular lattices is provably NP-hard. There are, however, a minority of researchers who do not believe that ideal lattices share the same security properties as regular lattices.

Peikert believes that these security equivalences make the RLWE problem a good basis for future cryptography. He writes: "There is a mathematical proof that the only way to break the cryptosystem (within some formal attack model) on its random instances is by being able to solve the underlying lattice problem in the worst case" (emphasis in the original).

RLWE Cryptography
A major advantage that RLWE based cryptography has over the original learning with errors (LWE) based cryptography is found in the size of the public and private keys. RLWE keys are roughly the square root of keys in LWE. For 128 bits of security an RLWE cryptographic algorithm would use public keys around 7000 bits in length. The corresponding LWE scheme would require public keys of 49 million bits for the same level of security. On the other hand, RLWE keys are larger than the keys sizes for currently used public key algorithms like RSA and Elliptic Curve Diffie-Hellman which require public key sizes of 3072 bits and 256 bits, respectively, to achieve a 128-bit level of security. From a computational standpoint, however, RLWE algorithms have been shown to be the equal of or better than existing public key systems.

Three groups of RLWE cryptographic algorithms exist:

Ring learning with errors key exchanges (RLWE-KEX)
The fundamental idea of using LWE and Ring LWE for key exchange was proposed and filed at the University of Cincinnati in 2011 by Jintai Ding. The basic idea comes from the associativity of matrix multiplications, and the errors are used to provide the security. The paper appeared in 2012 after a provisional patent application was filed in 2012.

In 2014, Peikert presented a key transport scheme following the same basic idea of Ding's, where the new idea of sending additional 1 bit signal for rounding in Ding's construction is also utilized. An RLWE version of the classic MQV variant of a Diffie-Hellman key exchange was later published by Zhang et al. The security of both key exchanges is directly related to the problem of finding approximate short vectors in an ideal lattice.

Ring learning with errors signature (RLWE-SIG)
A RLWE version of the classic Feige–Fiat–Shamir Identification protocol was created and converted to a digital signature in 2011 by Lyubashevsky. The details of this signature were extended in 2012 by Gunesyu, Lyubashevsky, and Popplemann in 2012 and published in their paper "Practical Lattice Based Cryptography – A Signature Scheme for Embedded Systems." These papers laid the groundwork for a variety of recent signature algorithms some based directly on the ring learning with errors problem and some which are not tied to the same hard RLWE problems.

Ring learning with errors homomorphic encryption (RLWE-HOM)
The purpose of homomorphic encryption is to allow the computations on sensitive data to occur on computing devices that should not be trusted with the data. These computing devices are allowed to process the ciphertext which is output from a homomorphic encryption. In 2011, Brakersky and Vaikuntanathan, published "Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages" which builds a homomorphic encryption scheme directly on the RLWE problem.