TY - GEN
T1 - Ring-LWE in polynomial rings
AU - Ducas, Léo
AU - Durmus, Alain
PY - 2012/1/1
Y1 - 2012/1/1
N2 - The Ring-LWE problem, introduced by Lyubashevsky, Peikert, and Regev (Eurocrypt 2010), has been steadily finding many uses in numerous cryptographic applications. Still, the Ring-LWE problem defined in [LPR10] involves the fractional ideal R∨, the dual of the ring R, which is the source of many theoretical and implementation technicalities. Until now, getting rid of R∨, required some relatively complex transformation that substantially increase the magnitude of the error polynomial and the practical complexity to sample it. It is only for rings R = ℤ[X]/(Xn + 1) where n a power of 2, that this transformation is simple and benign. In this work we show that by applying a different, and much simpler transformation, one can transfer the results from [LPR10] into an "easy-to-use" Ring-LWE setting (i.e. without the dual ring R∨), with only a very slight increase in the magnitude of the noise coefficients. Additionally, we show that creating the correct noise distribution can also be simplified by generating a Gaussian distribution over a particular extension ring of R, and then performing a reduction modulo f(X). In essence, our results show that one does not need to resort to using any algebraic structure that is more complicated than polynomial rings in order to fully utilize the hardness of the Ring-LWE problem as a building block for cryptographic applications.
AB - The Ring-LWE problem, introduced by Lyubashevsky, Peikert, and Regev (Eurocrypt 2010), has been steadily finding many uses in numerous cryptographic applications. Still, the Ring-LWE problem defined in [LPR10] involves the fractional ideal R∨, the dual of the ring R, which is the source of many theoretical and implementation technicalities. Until now, getting rid of R∨, required some relatively complex transformation that substantially increase the magnitude of the error polynomial and the practical complexity to sample it. It is only for rings R = ℤ[X]/(Xn + 1) where n a power of 2, that this transformation is simple and benign. In this work we show that by applying a different, and much simpler transformation, one can transfer the results from [LPR10] into an "easy-to-use" Ring-LWE setting (i.e. without the dual ring R∨), with only a very slight increase in the magnitude of the noise coefficients. Additionally, we show that creating the correct noise distribution can also be simplified by generating a Gaussian distribution over a particular extension ring of R, and then performing a reduction modulo f(X). In essence, our results show that one does not need to resort to using any algebraic structure that is more complicated than polynomial rings in order to fully utilize the hardness of the Ring-LWE problem as a building block for cryptographic applications.
UR - https://www.scopus.com/pages/publications/84861708152
U2 - 10.1007/978-3-642-30057-8_3
DO - 10.1007/978-3-642-30057-8_3
M3 - Conference contribution
AN - SCOPUS:84861708152
SN - 9783642300561
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 34
EP - 51
BT - Public Key Cryptography, PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Proceedings
PB - Springer Verlag
T2 - 15th International Conference on Practice and Theory in Public Key Cryptography, PKC 2012
Y2 - 21 May 2012 through 23 May 2012
ER -