112 research outputs found
Provably Weak Instances of PLWE Revisited, Again
Learning with Errors has emerged as a promising possibility for postquantum cryptography. Variants known as RLWE and PLWE have been shown to be more efficient, but the increased structure can leave them vulnerable to attacks for certain instantiations. This work aims to identify specific cases where proposed cryptographic schemes based on PLWE work particularly poorly under a specific attack
Ring-LWE Cryptography for the Number Theorist
In this paper, we survey the status of attacks on the ring and polynomial
learning with errors problems (RLWE and PLWE). Recent work on the security of
these problems [Eisentr\"ager-Hallgren-Lauter, Elias-Lauter-Ozman-Stange] gives
rise to interesting questions about number fields. We extend these attacks and
survey related open problems in number theory, including spectral distortion of
an algebraic number and its relationship to Mahler measure, the monogenic
property for the ring of integers of a number field, and the size of elements
of small order modulo q.Comment: 20 Page
Security considerations for Galois non-dual RLWE families
We explore further the hardness of the non-dual discrete variant of the
Ring-LWE problem for various number rings, give improved attacks for certain
rings satisfying some additional assumptions, construct a new family of
vulnerable Galois number fields, and apply some number theoretic results on
Gauss sums to deduce the likely failure of these attacks for 2-power cyclotomic
rings and unramified moduli
Characterizing Insecure Error Distributions For Various RLWE Problems
This thesis studies how a chosen set of parameters for a Ring Learning With Errors (RLWE) cryptographic instance affects its ability to withstand a certain type of attack. We begin with some non-technical motivation on the specific qualities of RLWE that support its candidacy as a post-quantum cryptographic protocol, and why such protocols are necessary due to recent developments in computing. We then discuss some of the context for RLWE, providing some overview on important concepts in algebraic number theory that underpin the mathematical structure of RLWE. We define several variants of RLWE which researchers in this field have analyzed, provide some detail on how these variants relate to each other, and cover some of the types of attacks against these variants. Following this overview, we introduce the experimental phase of this thesis project and cover the functionality of a program used to simulate a RLWE attack. Finally, we analyze some data generated as a result of tests run on our program and briefly discuss how it relates to previous hypotheses on how a RLWE instance\u27s security should be characterized
Provably weak instances of ring-LWE revisited
In CRYPTO 2015, Elias, Lauter, Ozman and Stange described an attack on the non-dual decision version of the ring learning with errors problem (RLWE) for two special families of defining polynomials, whose construction depends on the modulus q that is being used. For particularly chosen error parameters, they managed to solve non-dual decision RLWE given 20 samples, with a success rate ranging from 10% to 80%. In this paper we show how to solve the search version for the same families and error parameters, using only 7 samples with a success rate of 100%. Moreover our attack works for every modulus q instead of the q that was used to construct the defining polynomial. The attack is based on the observation that the RLWE error distribution for these families of polynomials is very skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al. the smallest errors are negligible and simple linear algebra suffices to recover the secret. But enlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWE problem unsuitable for cryptographic applications. These observations also apply to dual RLWE, but do not contradict the seminal work by Lyubashevsky, Peikert and Regev
RLWE/PLWE equivalence for the maximal totally real subextension of the 2rpq-th cyclotomic field
We generalise our previous work by giving a polynomial upper
bound on the condition number of certain quasi-Vandermonde matrices to es tablish the equivalence between the RLWE and PLWE problems for the totally
real subfield of the cyclotomic fields of conductor 2r
, 2rp and 2rpq with r ≥ 1
and p, q arbitrary primes. Moreover, we give some cryptographic motivations
for the study of these subfields.Agencia Estatal de InvestigaciĂł
Trace-based cryptoanalysis of cyclotomic -PLWE for the non-split case
We describe a decisional attack against a version of the PLWE problem in
which the samples are taken from a certain proper subring of large dimension of
the cyclotomic ring with in the case
where but is not totally split over
. Our attack uses the fact that the roots of over
suitable extensions of have zero-trace and has overwhelming
success probability as a function of the number of input samples. An
implementation in Maple and some examples of our attack are also provided.Comment: 19 pages; 1 figure; Major update to previous version due to some
weaknesses detecte
- …