a very brief introduction to lattice-based...
TRANSCRIPT
![Page 1: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/1.jpg)
A Very Brief Introduction to Lattice-BasedCryptography
Erkay Savas
Department of Computer Science and EngineeringSabancı University
November 15, 2018
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 2: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/2.jpg)
Outline
LatticesRing Learning with Errors (Ring-LWE) problemA Public Key Cryptosystem based on Ring-LWEFully Homomorphic Encryption
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 3: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/3.jpg)
Lattices & Hard Lattice Problems
A full rank lattice Λ, which is a discrete additive subgroup ofthe n-dimensional real space Rn, is the integer spanΛ = L(B) = {Bz|z ∈ Zn} of a basis B = (b1, . . . , bn).The minimum distance λ1(Λ) of a lattice Λ is the length(usually in the Euclidean `2 norm) of its shortest nonzerovector; namely λ1(Λ) = min06=~x∈Λ||x||Shortest Vector Problem (SVP) Given a lattice basis B forΛ, find the shortest nonzero vector in Λ.Closest Vector Problem (CVP) Given a lattice basis B and apoint in real space v (not necessarily on the lattice), find theclosest lattice point
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 4: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/4.jpg)
q-ary Lattices
Given an arbitrary matrix of A ∈ Zn×m, q-ary lattices aredefined as
Λq(A) = {y ∈ Zm : y = AT s (mod q) for some s ∈ Zn}Λ⊥q (A) = {y ∈ Zm : Ay = 0 (mod q)}
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 5: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/5.jpg)
Ring-LWE
Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.
– R is the set of polynomials of degree less than n with integercoefficients.
Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1
Rq denotes the ring R reduced modulo q;
– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x
n−1
ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 6: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/6.jpg)
Ring-LWE
Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.
– R is the set of polynomials of degree less than n with integercoefficients.
Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1
Rq denotes the ring R reduced modulo q;
– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x
n−1
ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 7: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/7.jpg)
Ring-LWE
Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.
– R is the set of polynomials of degree less than n with integercoefficients.
Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1
Rq denotes the ring R reduced modulo q;
– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x
n−1
ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 8: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/8.jpg)
Ring-LWE
Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.
– R is the set of polynomials of degree less than n with integercoefficients.
Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1
Rq denotes the ring R reduced modulo q;
– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x
n−1
ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 9: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/9.jpg)
Ring-LWE
Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.
– R is the set of polynomials of degree less than n with integercoefficients.
Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1
Rq denotes the ring R reduced modulo q;– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x
n−1
ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 10: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/10.jpg)
Error Distribution: DR,σ
The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.
– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)
Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0
For a normal distribution with µ = 0 and σ, erf(
aσ√
2
)is the
probability that a sample lies in (−a, a) for positive a.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 11: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/11.jpg)
Error Distribution: DR,σ
The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.
– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)
Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0
For a normal distribution with µ = 0 and σ, erf(
aσ√
2
)is the
probability that a sample lies in (−a, a) for positive a.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 12: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/12.jpg)
Error Distribution: DR,σ
The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.
– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)
Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0
For a normal distribution with µ = 0 and σ, erf(
aσ√
2
)is the
probability that a sample lies in (−a, a) for positive a.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 13: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/13.jpg)
Error Distribution: DR,σ
The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.
– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)
Let B0 be a bound on normal distribution with µ = 0 and σ
We can use error function erf to compute B0
For a normal distribution with µ = 0 and σ, erf(
aσ√
2
)is the
probability that a sample lies in (−a, a) for positive a.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 14: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/14.jpg)
Error Distribution: DR,σ
The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.
– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)
Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0
For a normal distribution with µ = 0 and σ, erf(
aσ√
2
)is the
probability that a sample lies in (−a, a) for positive a.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 15: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/15.jpg)
Error Distribution: DR,σ
The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.
– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)
Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0
For a normal distribution with µ = 0 and σ, erf(
aσ√
2
)is the
probability that a sample lies in (−a, a) for positive a.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 16: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/16.jpg)
Hard Problems
Two hard problems can be given:
– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σand set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 17: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/17.jpg)
Hard Problems
Two hard problems can be given:
– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σand set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 18: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/18.jpg)
Hard Problems
Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ
and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 19: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/19.jpg)
Hard Problems
Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ
and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 20: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/20.jpg)
Hard Problems
Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ
and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)
(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 21: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/21.jpg)
Hard Problems
Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ
and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 22: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/22.jpg)
Hard Problems
Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ
and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.
– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:
(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ
Ring-LWE Problems are still hard even if s← DR,σ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 23: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/23.jpg)
Hardness of Ring-LWE Assumptions
Depends on the ring dimension n, the size of q and σwe use the LWE estimator accessible viahttps://bitbucket.org/malb/lwe-estimator/overview
Table: σ = 4.578 (δ is the root Hermite factor)
n k λ δclassical quantum
512 24 84.1 79.1 1.0065461024 27 149.3 138.3 1.0039411024 31 126.2 117.4 1.0045711024 32 121.6 113.1 1.0047271024 33 117.2 109.2 1.0048861024 34 113.1 105.4 1.0050451024 35 109.0 101.7 1.0052041024 36 105.5 98.5 1.0056301024 37 102.5 95.9 1.0055141024 38 99.1 92.7 1.0056781024 39 96.1 90.1 1.005837
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 24: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/24.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rq
iii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 25: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/25.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)
Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rq
iii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 26: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/26.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.
{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rq
iii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 27: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/27.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rqiii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 28: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/28.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σ
ii) a← Rqiii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 29: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/29.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rq
iii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 30: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/30.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rqiii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 31: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/31.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rqiii) b← as+ pe (mod q)
– public key: pk ← (a, b)
– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 32: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/32.jpg)
A PKC based on Ring-LWE - Key Generation
We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.
i) s, e← DR,σii) a← Rqiii) b← as+ pe (mod q)
– public key: pk ← (a, b)– secret key: sk ← s
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 33: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/33.jpg)
A PKC based on R-LWE - Encryption
Let µ ∈ Rp be an arbitrary message
i) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µ
iii) c1 ← ae0 + pe2
– Ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 34: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/34.jpg)
A PKC based on R-LWE - Encryption
Let µ ∈ Rp be an arbitrary message
i) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2
– Ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 35: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/35.jpg)
A PKC based on R-LWE - Encryption
Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σ
ii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2
– Ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 36: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/36.jpg)
A PKC based on R-LWE - Encryption
Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µ
iii) c1 ← ae0 + pe2
– Ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 37: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/37.jpg)
A PKC based on R-LWE - Encryption
Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2
– Ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 38: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/38.jpg)
A PKC based on R-LWE - Encryption
Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2
– Ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 39: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/39.jpg)
A PKC based on R-LWE - Decryption
µ← (c0 − c1s (mod q)) (mod p)Decryption is a vector product 〈(c0, c1), (1,−s )〉 where
– secret key: (1,−s )– ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 40: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/40.jpg)
A PKC based on R-LWE - Decryption
µ← (c0 − c1s (mod q)) (mod p)
Decryption is a vector product 〈(c0, c1), (1,−s )〉 where
– secret key: (1,−s )– ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 41: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/41.jpg)
A PKC based on R-LWE - Decryption
µ← (c0 − c1s (mod q)) (mod p)Decryption is a vector product 〈(c0, c1), (1,−s )〉 where
– secret key: (1,−s )– ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 42: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/42.jpg)
A PKC based on R-LWE - Decryption
µ← (c0 − c1s (mod q)) (mod p)Decryption is a vector product 〈(c0, c1), (1,−s )〉 where
– secret key: (1,−s )
– ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 43: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/43.jpg)
A PKC based on R-LWE - Decryption
µ← (c0 − c1s (mod q)) (mod p)Decryption is a vector product 〈(c0, c1), (1,−s )〉 where
– secret key: (1,−s )– ciphertext: (c0, c1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 44: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/44.jpg)
Correctness of the decryption operation
µ = (c0 − c1s (mod q)) (mod p)= ((be0 − pe1 + µ)− (ase0 − pe2s) (mod q)) (mod p)= (p(ee0 + e1 − e2s) + µ (mod q)) (mod p)= (p · “small” + µ (mod q)) (mod p)
(p · “small” + µ (mod q)) (mod p) will return µ only ifp · “small” + µ < p · “small” + p <
q
2 .
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 45: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/45.jpg)
Correctness of the decryption operation
µ = (c0 − c1s (mod q)) (mod p)= ((be0 − pe1 + µ)− (ase0 − pe2s) (mod q)) (mod p)= (p(ee0 + e1 − e2s) + µ (mod q)) (mod p)= (p · “small” + µ (mod q)) (mod p)
(p · “small” + µ (mod q)) (mod p) will return µ only ifp · “small” + µ < p · “small” + p <
q
2 .
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 46: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/46.jpg)
Correctness of the decryption operation
µ = (c0 − c1s (mod q)) (mod p)= ((be0 − pe1 + µ)− (ase0 − pe2s) (mod q)) (mod p)= (p(ee0 + e1 − e2s) + µ (mod q)) (mod p)= (p · “small” + µ (mod q)) (mod p)
(p · “small” + µ (mod q)) (mod p) will return µ only ifp · “small” + µ < p · “small” + p <
q
2 .
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 47: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/47.jpg)
Correctness Constraint
For correct decryption, we should have
p(ee0 + e1 − e2s) + p <q
2 ,
where s, e, e0, e1, e2 are sampled from the same distribution.Also they are all in R = Z[x]/Φ(x)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 48: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/48.jpg)
Correctness Constraint
For correct decryption, we should have
p(ee0 + e1 − e2s) + p <q
2 ,
where s, e, e0, e1, e2 are sampled from the same distribution.
Also they are all in R = Z[x]/Φ(x)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 49: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/49.jpg)
Correctness Constraint
For correct decryption, we should have
p(ee0 + e1 − e2s) + p <q
2 ,
where s, e, e0, e1, e2 are sampled from the same distribution.Also they are all in R = Z[x]/Φ(x)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 50: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/50.jpg)
Correctness Constraint
p(ee0 + e1 − e2s+ 1) < q
2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 51: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/51.jpg)
Correctness Constraint
p(ee0 + e1 − e2s+ 1) < q
2
Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 52: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/52.jpg)
Correctness Constraint
p(ee0 + e1 − e2s+ 1) < q
2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)
What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 53: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/53.jpg)
Correctness Constraint
p(ee0 + e1 − e2s+ 1) < q
2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?
Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 54: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/54.jpg)
Correctness Constraint
p(ee0 + e1 − e2s+ 1) < q
2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.
‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 55: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/55.jpg)
Correctness Constraint
p(ee0 + e1 − e2s+ 1) < q
2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 56: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/56.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 57: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/57.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)
Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 58: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/58.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1
c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 59: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/59.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 60: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/60.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 61: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/61.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.
An upper bound for a product term is B20
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 62: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/62.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 63: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/63.jpg)
Correctness Constraint - Example
R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R
– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0
Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2
0
An upper bound for a coefficient is then nB20 (a bit loose
upper bound)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 64: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/64.jpg)
Correctness Constraint - Cont.
Let η = ee0 + e1 − e2s
An upper bound for η is, then, nB20 +B0 + nB2
0
pη+µ < p(nB20 +B0+nB2
0 +1) < q
2 ⇒ q > 2p(2nB20 +B0+1)
Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 65: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/65.jpg)
Correctness Constraint - Cont.
Let η = ee0 + e1 − e2s
An upper bound for η is, then, nB20 +B0 + nB2
0
pη+µ < p(nB20 +B0+nB2
0 +1) < q
2 ⇒ q > 2p(2nB20 +B0+1)
Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 66: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/66.jpg)
Correctness Constraint - Cont.
Let η = ee0 + e1 − e2s
An upper bound for η is, then, nB20 +B0 + nB2
0
pη+µ < p(nB20 +B0+nB2
0 +1) < q
2 ⇒ q > 2p(2nB20 +B0+1)
Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 67: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/67.jpg)
Correctness Constraint - Cont.
Let η = ee0 + e1 − e2s
An upper bound for η is, then, nB20 +B0 + nB2
0
pη+µ < p(nB20 +B0+nB2
0 +1) < q
2 ⇒ q > 2p(2nB20 +B0+1)
Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 68: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/68.jpg)
Correctness Constraint - Cont.
Let η = ee0 + e1 − e2s
An upper bound for η is, then, nB20 +B0 + nB2
0
pη+µ < p(nB20 +B0+nB2
0 +1) < q
2 ⇒ q > 2p(2nB20 +B0+1)
Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 69: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/69.jpg)
Fully Homomorphic Encryption
µ ∈ Rpc = E(µ, pk)c ∈ R2
q
Additive Homomorphism:
D(E(µ, pk) + E(µ, pk), sk) = µ+ µ
Multiplicative Homomorphism:
D(E(µ, pk) · E(µ, pk), sk) = µ · µ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 70: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/70.jpg)
Fully Homomorphic Encryption
µ ∈ Rp
c = E(µ, pk)c ∈ R2
q
Additive Homomorphism:
D(E(µ, pk) + E(µ, pk), sk) = µ+ µ
Multiplicative Homomorphism:
D(E(µ, pk) · E(µ, pk), sk) = µ · µ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 71: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/71.jpg)
Fully Homomorphic Encryption
µ ∈ Rpc = E(µ, pk)
c ∈ R2q
Additive Homomorphism:
D(E(µ, pk) + E(µ, pk), sk) = µ+ µ
Multiplicative Homomorphism:
D(E(µ, pk) · E(µ, pk), sk) = µ · µ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 72: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/72.jpg)
Fully Homomorphic Encryption
µ ∈ Rpc = E(µ, pk)c ∈ R2
q
Additive Homomorphism:
D(E(µ, pk) + E(µ, pk), sk) = µ+ µ
Multiplicative Homomorphism:
D(E(µ, pk) · E(µ, pk), sk) = µ · µ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 73: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/73.jpg)
Fully Homomorphic Encryption
µ ∈ Rpc = E(µ, pk)c ∈ R2
q
Additive Homomorphism:
D(E(µ, pk) + E(µ, pk), sk) = µ+ µ
Multiplicative Homomorphism:
D(E(µ, pk) · E(µ, pk), sk) = µ · µ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 74: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/74.jpg)
Fully Homomorphic Encryption
µ ∈ Rpc = E(µ, pk)c ∈ R2
q
Additive Homomorphism:
D(E(µ, pk) + E(µ, pk), sk) = µ+ µ
Multiplicative Homomorphism:
D(E(µ, pk) · E(µ, pk), sk) = µ · µ
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 75: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/75.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic
– Consider two ciphertexts c and c, which encrypts µ and µ,respectively,
c = (c0, c1)c = (c0, c1)
– Consider also the decryption operation
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 76: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/76.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic
– Consider two ciphertexts c and c, which encrypts µ and µ,respectively,
c = (c0, c1)c = (c0, c1)
– Consider also the decryption operation
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 77: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/77.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Consider two ciphertexts c and c, which encrypts µ and µ,
respectively,
c = (c0, c1)c = (c0, c1)
– Consider also the decryption operation
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 78: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/78.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Consider two ciphertexts c and c, which encrypts µ and µ,
respectively,c = (c0, c1)
c = (c0, c1)– Consider also the decryption operation
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 79: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/79.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Consider two ciphertexts c and c, which encrypts µ and µ,
respectively,c = (c0, c1)c = (c0, c1)
– Consider also the decryption operation
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 80: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/80.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Consider two ciphertexts c and c, which encrypts µ and µ,
respectively,c = (c0, c1)c = (c0, c1)
– Consider also the decryption operation
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 81: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/81.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic
– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 82: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/82.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic
– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 83: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/83.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 84: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/84.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 85: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/85.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB
– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 86: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/86.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB
– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 87: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/87.jpg)
Additive Homomorphism
Our Ring-LWE-based PKC system is additively homomorphic– Now, apply addition to ciphertexts c+ c and decrypt
〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)
– So long as p(η + η) + (µ+ µ) < q
2 , modulo q reduction doesnot happen ⇒ CORRECT decryption
– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 88: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/88.jpg)
Homomorphic addition of l ciphertexts
µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)
⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))
An upper bound for p(η(1) + . . .+ η(l)) is then 2lpBEventually, the error term will exceed q
2 depending on l and p.
This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 89: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/89.jpg)
Homomorphic addition of l ciphertexts
µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)
⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))
An upper bound for p(η(1) + . . .+ η(l)) is then 2lpB
Eventually, the error term will exceed q
2 depending on l and p.
This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 90: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/90.jpg)
Homomorphic addition of l ciphertexts
µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)
⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))
An upper bound for p(η(1) + . . .+ η(l)) is then 2lpBEventually, the error term will exceed q
2 depending on l and p.
This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 91: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/91.jpg)
Homomorphic addition of l ciphertexts
µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)
⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))
An upper bound for p(η(1) + . . .+ η(l)) is then 2lpBEventually, the error term will exceed q
2 depending on l and p.
This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.
This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 92: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/92.jpg)
Homomorphic addition of l ciphertexts
µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)
⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))
An upper bound for p(η(1) + . . .+ η(l)) is then 2lpBEventually, the error term will exceed q
2 depending on l and p.
This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 93: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/93.jpg)
Multiplicative Homomorphism
Our Ring-LWE-based PKC supports homomorphicmultiplication of ciphertexts
– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.Define tensor product of c and c as
c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 94: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/94.jpg)
Multiplicative Homomorphism
Our Ring-LWE-based PKC supports homomorphicmultiplication of ciphertexts
– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.Define tensor product of c and c as
c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 95: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/95.jpg)
Multiplicative Homomorphism
Our Ring-LWE-based PKC supports homomorphicmultiplication of ciphertexts
– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.
Define tensor product of c and c as
c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 96: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/96.jpg)
Multiplicative Homomorphism
Our Ring-LWE-based PKC supports homomorphicmultiplication of ciphertexts
– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.Define tensor product of c and c as
c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 97: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/97.jpg)
Multiplicative Homomorphism - Decryption forMutiplication of Ciphertexts
Now, we have four-dimensional ciphertext, which will decryptwith respect to the “secret key” vector(1,−s)⊗ (1,−s) = (1,−s,−s, s2) since
⟨c⊗ c, (1,−s,−s, s2)
⟩= (d0 − d1s− d2s+ d3s
2 (mod q)) (mod p)= c0c0 − c0c1s− c1c0s+ c1c1s
2
= (c0 − c1s)(c0 − c1s)(modq)= (µ+ pη)(µ+ pη)(modq)= (µµ+ p(µη + µη + pηη) (mod q)) (mod p)= (µµ+ pηf (mod q)) (mod p)
Therefore, c⊗ c is an encryption of µµ under the secret key(1,−s,−s, s2)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 98: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/98.jpg)
Multiplicative Homomorphism - Decryption forMutiplication of Ciphertexts
Now, we have four-dimensional ciphertext, which will decryptwith respect to the “secret key” vector(1,−s)⊗ (1,−s) = (1,−s,−s, s2) since
⟨c⊗ c, (1,−s,−s, s2)
⟩= (d0 − d1s− d2s+ d3s
2 (mod q)) (mod p)= c0c0 − c0c1s− c1c0s+ c1c1s
2
= (c0 − c1s)(c0 − c1s)(modq)= (µ+ pη)(µ+ pη)(modq)= (µµ+ p(µη + µη + pηη) (mod q)) (mod p)= (µµ+ pηf (mod q)) (mod p)
Therefore, c⊗ c is an encryption of µµ under the secret key(1,−s,−s, s2)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 99: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/99.jpg)
Multiplicative Homomorphism - Decryption forMutiplication of Ciphertexts
Now, we have four-dimensional ciphertext, which will decryptwith respect to the “secret key” vector(1,−s)⊗ (1,−s) = (1,−s,−s, s2) since⟨c⊗ c, (1,−s,−s, s2)
⟩= (d0 − d1s− d2s+ d3s
2 (mod q)) (mod p)= c0c0 − c0c1s− c1c0s+ c1c1s
2
= (c0 − c1s)(c0 − c1s)(modq)= (µ+ pη)(µ+ pη)(modq)= (µµ+ p(µη + µη + pηη) (mod q)) (mod p)= (µµ+ pηf (mod q)) (mod p)
Therefore, c⊗ c is an encryption of µµ under the secret key(1,−s,−s, s2)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 100: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/100.jpg)
Multiplicative Homomorphism - Decryption forMutiplication of Ciphertexts
Now, we have four-dimensional ciphertext, which will decryptwith respect to the “secret key” vector(1,−s)⊗ (1,−s) = (1,−s,−s, s2) since⟨c⊗ c, (1,−s,−s, s2)
⟩= (d0 − d1s− d2s+ d3s
2 (mod q)) (mod p)= c0c0 − c0c1s− c1c0s+ c1c1s
2
= (c0 − c1s)(c0 − c1s)(modq)= (µ+ pη)(µ+ pη)(modq)= (µµ+ p(µη + µη + pηη) (mod q)) (mod p)= (µµ+ pηf (mod q)) (mod p)
Therefore, c⊗ c is an encryption of µµ under the secret key(1,−s,−s, s2)
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 101: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/101.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 102: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/102.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 103: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/103.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 104: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/104.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2
µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 105: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/105.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.
ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 106: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/106.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 107: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/107.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2
q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 108: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/108.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)
Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography
![Page 109: A Very Brief Introduction to Lattice-Based Cryptographypeople.sabanciuniv.edu/~mlavrauw/algebra_seminar/slides/...A Very Brief Introduction to Lattice-Based Cryptography Erkay Savas¸](https://reader036.vdocument.in/reader036/viewer/2022062508/6051a170819c0c77e04c7ee1/html5/thumbnails/109.jpg)
Noise Increases Quadratically
⟨c⊗ c, (1,−s,−s, s2)
⟩= (µµ+ pηf (mod q)) (mod p)
ηf = µη + µη + pηη
For correct decryption µµ+ pηf <q
2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2
µµ+ pηf < p2 + p2(2B +B2) < q
2q > 2p2(B2 + 2B + 1)Noise increases quadratically.
Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography