Provably Weak Instances of PLWE Revisited, Again

Learning with Errors has emerged as a promising possibility for postquantum cryptography. Variants known as RLWE and PLWE have been shown to be more efficient, but the increased structure can leave them vulnerable to attacks for certain instantiations. This work aims to identify specific cases where proposed cryptographic schemes based on PLWE work particularly poorly under a specific attack

Ring-LWE Cryptography for the Number Theorist

In this paper, we survey the status of attacks on the ring and polynomial learning with errors problems (RLWE and PLWE). Recent work on the security of these problems [Eisentr\"ager-Hallgren-Lauter, Elias-Lauter-Ozman-Stange] gives rise to interesting questions about number fields. We extend these attacks and survey related open problems in number theory, including spectral distortion of an algebraic number and its relationship to Mahler measure, the monogenic property for the ring of integers of a number field, and the size of elements of small order modulo q.Comment: 20 Page

Security considerations for Galois non-dual RLWE families

We explore further the hardness of the non-dual discrete variant of the Ring-LWE problem for various number rings, give improved attacks for certain rings satisfying some additional assumptions, construct a new family of vulnerable Galois number fields, and apply some number theoretic results on Gauss sums to deduce the likely failure of these attacks for 2-power cyclotomic rings and unramified moduli

Characterizing Insecure Error Distributions For Various RLWE Problems

This thesis studies how a chosen set of parameters for a Ring Learning With Errors (RLWE) cryptographic instance affects its ability to withstand a certain type of attack. We begin with some non-technical motivation on the specific qualities of RLWE that support its candidacy as a post-quantum cryptographic protocol, and why such protocols are necessary due to recent developments in computing. We then discuss some of the context for RLWE, providing some overview on important concepts in algebraic number theory that underpin the mathematical structure of RLWE. We define several variants of RLWE which researchers in this field have analyzed, provide some detail on how these variants relate to each other, and cover some of the types of attacks against these variants. Following this overview, we introduce the experimental phase of this thesis project and cover the functionality of a program used to simulate a RLWE attack. Finally, we analyze some data generated as a result of tests run on our program and briefly discuss how it relates to previous hypotheses on how a RLWE instance\u27s security should be characterized

Provably weak instances of ring-LWE revisited

In CRYPTO 2015, Elias, Lauter, Ozman and Stange described an attack on the non-dual decision version of the ring learning with errors problem (RLWE) for two special families of defining polynomials, whose construction depends on the modulus q that is being used. For particularly chosen error parameters, they managed to solve non-dual decision RLWE given 20 samples, with a success rate ranging from 10% to 80%. In this paper we show how to solve the search version for the same families and error parameters, using only 7 samples with a success rate of 100%. Moreover our attack works for every modulus q instead of the q that was used to construct the defining polynomial. The attack is based on the observation that the RLWE error distribution for these families of polynomials is very skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al. the smallest errors are negligible and simple linear algebra suffices to recover the secret. But enlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWE problem unsuitable for cryptographic applications. These observations also apply to dual RLWE, but do not contradict the seminal work by Lyubashevsky, Peikert and Regev

RLWE/PLWE equivalence for the maximal totally real subextension of the 2rpq-th cyclotomic field

We generalise our previous work by giving a polynomial upper bound on the condition number of certain quasi-Vandermonde matrices to es tablish the equivalence between the RLWE and PLWE problems for the totally real subfield of the cyclotomic fields of conductor 2r , 2rp and 2rpq with r ≥ 1 and p, q arbitrary primes. Moreover, we give some cryptographic motivations for the study of these subfields.Agencia Estatal de Investigació

Trace-based cryptoanalysis of cyclotomic Rq,0×RqR_{q,0}\times R_q-PLWE for the non-split case

We describe a decisional attack against a version of the PLWE problem in which the samples are taken from a certain proper subring of large dimension of the cyclotomic ring $\mathbb{F}_q[x]/(\Phi_{p^k}(x))$ with $k>1$ in the case where $q\equiv 1\pmod{p}$ but $\Phi_{p^k}(x)$ is not totally split over $\mathbb{F}_q$. Our attack uses the fact that the roots of $\Phi_{p^k}(x)$ over suitable extensions of $\mathbb{F}_q$ have zero-trace and has overwhelming success probability as a function of the number of input samples. An implementation in Maple and some examples of our attack are also provided.Comment: 19 pages; 1 figure; Major update to previous version due to some weaknesses detecte