Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ring-lwe]

Ring learning with errors (RLWE) is a computational problem which serves as the foundation of new cryptographic algorithms, such as NewHope, designed to protect against cryptanalysis by quantum computers and also to provide the basis for homomorphic encryption.

RLWE is more properly called Learning with Errors over Rings and is simply the larger learning with errors (LWE) problem specialized to polynomial rings over finite fields. Because of the presumed difficulty of solving the RLWE problem even on a quantum computer, RLWE based cryptography may form the fundamental base for public-key cryptography in the future just as the integer factorization and discrete logarithm problem have served as the base for public key cryptography since the early 1980s. An important feature of basing cryptography on the ring learning with errors problem is the fact that the solution to the RLWE problem may be reducible to the NP-hard shortest vector problem (SVP) in a lattice.

(source: Wikipedia)

183 questions
31
votes
1 answer

Uniform vs discrete Gaussian sampling in Ring learning with errors

The Wikipedia article on RLWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply uniformly selecting the coefficients from the set…
Morty
  • 639
  • 4
  • 13
13
votes
2 answers

Is Ring-LWE now (2021) broken?

A recent (29 Mar 2021) article "Ring-LWE over two-to-power cyclotomics is not hard" by Hao Chen is available in pre-print here: https://eprint.iacr.org/2021/418 I'm not a cryptographer. Does this article mean that Ring-LWE is unsuitable for…
A. Hersean
  • 954
  • 11
  • 22
11
votes
0 answers

Decision R-LWE parameters for spherical error with worst-case hardness

In Peikert et al.'s most recent work (STOC 2017) a direct reduction of worst-case lattice problems to decision R-LWE is achieved for $\alpha q \ge 2 \cdot \omega(1)$ (Theorem 6.2), where $\alpha q$ is the Gaussian standard deviation. However, it is…
Daniela
  • 111
  • 2
10
votes
2 answers

Difference between FFT and NTT

What are the main differences between the Fast Fourier Transform (FFT) and the Number Theoretical Transform (NTT)? Why do we use the NTT and not the FFT in cryptographic applications? Which one is a generalization of the other?
C.S.
  • 515
  • 3
  • 10
8
votes
1 answer

NewHope and NIST's Post-quantum standardization

Where can I find NIST's reasoning to eliminate NewHope from the 3rd round of the post-quantum competition? I see all the lattice KEMs finalists are based on modules. Is being a ring-based KEM contributed to their elimination? In this case, is there…
Rick
  • 1,305
  • 8
  • 17
6
votes
0 answers

Is qTesla Secure?

qTesla is a signature scheme and a submission to the NIST post-quantum standardization process, which made it to the second round. It is based on the hardness of RLWE. The NIST round 2 status report says that it didn't make it to round 3…
a196884
  • 381
  • 1
  • 11
6
votes
2 answers

MLWE (and RLWE) to LWE reductions proof

In crypto papers, cryptanalysis of MLWE/RLWE/etc. is often reduced to LWE. Why can we do this? Is there strict proof of such reductions?
OneUser
  • 143
  • 8
5
votes
1 answer

What is the difference between Poly-LWE and Ring-LWE?

I am often confused by Poly-LWE and Ring-LWE, always thinking that they are different names for the same thing. In some literature, Poly-LWE is a simplified version of Ring-LWE? What is the difference?
hahalipv
  • 51
  • 1
5
votes
3 answers

what does output parameters of lwe estimator stands for?

I want to use lwe estimator to find classical and quantum security of my proposed key exchange protocol. On this website, I want to understand the output of sage code on lwe estimator given bellow. sage: load("estimator.py") sage: n, alpha, q =…
vivek
  • 217
  • 3
  • 13
5
votes
0 answers

ring-LWE: Minkowski Embedding , the Co-Different Ideal, etc

While (trying) to go over the reductions from approx. SVP on ideal lattices to search ring-LWE, [1] and [2], for $K = \mathbb{Q}(\zeta)$ where $\zeta$ is an abstract root of a cyclotomic polynomial, the ring-LWE error distribution $\psi$ is defined…
Rohit Khera
  • 688
  • 4
  • 11
5
votes
1 answer

Ring LWE distribution definitions

This may be a stupid question but I've been stuck on parsing these definitions for a while. I am reading the paper "On Ideal Lattices and Learning with Errors Over Rings" by Lyubashevsky, Peikert, and Regev. I am trying to understand the error…
cryptolearner
  • 113
  • 5
4
votes
2 answers

LWE and pseudorandom functions

Consider the learning with errors problem. Assuming LWE (or a variant of LWE, like ring LWE) is hard for polynomial time algorithms, can we construct a family of pseudorandom functions from there?
BlackHat18
  • 397
  • 1
  • 9
4
votes
1 answer

Functional and security model for SEAL

What's the functional and security model for SEAL? From this I get that it allows additions and multiplications to be performed on encrypted integers or real. But what are the limitation, like range, precision, on inputs and outputs? What…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
4
votes
1 answer

Prove that a small Ring-LWE secret is unique

I just want to know whether my proof is correct, which is about proving that if the Ring-LWE secret is small, then it is unique. Before giving my proof, here is a fact: Fact 1: $\Pr [\Vert r \Vert_\infty \leq \beta: r\xleftarrow{\\\$} R_q]\leq…
Chito Miranda
  • 145
  • 12
4
votes
2 answers

Is FFT for power-of-two cyclotomic rings possible if q is not 1 modulo 2n?

For RLWE (Ring Learning With Errors) scheme, we use $R_{q} = \mathbb{Z}_{q}[x]/(x^{n} +1) = \mathbb{Z}_{q}[x]/(\Phi_{2n}(x))$ where $n = 2^{d}$ for some $d$. Since there exists $2n$-th root of unity in $\mathbb{Z}_{q}$ (which is the generator of the…
Seewoo Lee
  • 145
  • 5
1
2 3
12 13