 All right, so hello everyone, my name is Jordan Wang. I will talk about running in dreams. This is a joint work with Fung Hallyu. This is the outline. First of all, I will give a quick overview of the background. Then I talk about the new reduction from search ring adapter to decision ring adapter. Finally, I will show the new harness results of module adapter with leaky secret. Okay, let's enter the first part. Our topic is motivated by the post quantum cryptography and aims to study theoretical foundations of post quantum cryptography. So the motivation of post quantum cryptography is that most currently in use public key system can be broken by a large scale quantum computers because mathematical fundamental problems such as integer factorization, discrete logarithm, ECC at all will be broken by the famous short algorithms on quantum computers. Therefore, for further security, least cause for new standards, the cryptosystem should achieve post quantum security and the high efficiency simultaneously. And we know that deployment and new standards can take a lot of time. So we had better start now. To achieve this goal, one promising direction is lattice-based cryptography which enjoys more focus in PQC. The foundations of lattice-based cryptography are the hard problems. However, basic lattice problems such as SVP or SIVP are not suitable for constructing the system directly. In 2005, Regale proposed a hard problem called learning with errors. Simply speaking, LWA aims to find the secrets from many noisy inner products of random vector A and the secrets or determine the pair AB from random pairs. So noise distributed as discrete Gaussian. Since it was proposed, LWA draws widely attention because there is a reduction from basic lattice problems to LWA. That is to say, if the underlying lattice problem is hard for quantum computers, so is LWA. And we can design many advanced cryptos from LWA such as free homomorphic encryption and more. Well, it's plain LWA is good enough. So plain LWA means LWA is in the form as we defined before. And actually, this is not because of the efficiency. So usually, plain LWA suffers large case and the Gaussian simply involved in choosing noise is cumbersome. And the list also did not select plain LWA based on Frodo as final list. It has a backup alternative. So what do we need? Maybe the so-called new hope is the answer. Well, it is not the end because we should achieve more with so-called chi or saber. So I will explain a little bit more what's the hope. So the hope is we need more mathematical structures. So what additional mathematical structures can improve efficiency? We can work in the rings and we can use wrongly. So what do they mean? Okay, instead of working on CQ to the A, we can work on RQ to the K for some ring R. And instead of adding arrows to the inner product, we can use wrongly. In fact, those two ideas have been exploited in the list of PQC standards. For example, the new hope and the LAC in second round and the chi bar and the saber in third round. However, we are working with additional mathematical structure may incur further subtleties. For example, which ring should be choose and how to run? Actually, these are exactly the motivations of learning with rounding over rings or ring LWR. So we formalize the definition of ring LWR law, which was firstly proposed by Banerjee, Piker and Rosy in 2013. In 2012, the ring LWR is defined with Pyramid PQ and the ring R. The search problem is to find the secret S from given samples as the pair AB, where A is a render element in RQ and B equal to the rounding of A times S. And the rounding of an element S with respect to PQ is defined as the rounding of P over Q times S, then mod P. Okay, so the decision problem is to distinguish the pair AB from uniformly random pair. We know that ring LWR conceals low order B by adding a small random arrow and the ring LWR just discuss those B instead. Ring LWR can be applied to many interesting crypto-framed keys, such as pseudo-rand functions, computational reuse of extractor, lost-stripped function, over one lost-stripped functions, and thus obtain the CC2 public encryption via the framework Pyker and Waters in 2008. We also construct a very simple deterministic encryption by ring LWR. Interestingly, there are two submissions, the SIPR in round three and round five in round two, based on a ring LWR among least whose quantum round two and round three submissions. Okay, given many useful applications above, it is important to determine the hardest of ring LWR, and it is also the focus of this world. I summarize prior hardest results of plain LWR and ring LWR by the following figures. More precisely, we consider the hardest of these problems in two cases with superpoly modules and with poly modules. For plain LWR, the hardest results are more complicated. First of all, we can show basic reduction line of LWR from prior works, and there are simple reductions from search LWR to search LWR, and the decision LWR to decision LWR with superpoly modules from the work of BPR too. The work by Baili, Zanwa, Lampers, Danny, Sexy, and Stanfield in 2015, and the work by Bogdanoff-Guo, Nestle, Richards, and Rosen in 2016, separately show a reduction from search LWR to search LWR with poly modules, and the work of BGMR-16 also shows a reduction from search to decision LWR with poly modules. Interestingly, the work by Orvin, Pizzev, and Wix in 2013 showed another reduction from decision LWR to decision LWR with poly modules. Their reduction holds even with leaky secret. However, in the ring setting, the results are limited. Besides the basic reduction line of ring LWR from prior works, we can also show reductions of ring LWR with superpoly modules by the symbol of BPR too. The work by BGMR-16 also shows a reduction from search ring LWR to search ring LWR with poly modules, but there are two main open questions in the ring setting compared with plain LWR. On the one hand, we don't know the suit randomness of ring LWR with poly modules. On the other hand, the holidays of ring LWR or module LWR with leaky secret is to be determined. Finally, it needs to point out that superpoly modules suffered worse efficiency and weaker security compared with poly modules. So it is important to determine the hardest results for ring LWR with poly modules. With these open questions now, I turn to the second part of this talk. This result also answers one of two main open questions in prior works. As a preparation of our reduction, I will introduce a new LWR framework, which captures a more flexible rounding procedure and encompassing more algebraic structures. Okay, so the rounding in prior works implicit is implicitly defined according to the coefficient in value, but this procedure does not suit for the rings of with long integral coefficients such as the dual of ring of integers. So here we propose a new rounding procedure rounding according to basis. We know that any ring of integers R has at least one C basis B. Then an element X in R can be interpreted as the integral combination of the basis B. And the rounding of it is with respect to the coefficients corresponding to B. Well, let's go a further step to define a new framework, which is called the LWR. This framework is inspired by the work of Python and Python in 2019. And it encompasses all algebraically structured LWR such as ring LWR, holy order module LWR and more. And show that the harness of ring LWR implies harness of order of holy middle product LWR. So from this, we can focus on the harness of ring LWR. Okay, then we show the randomness of ring LWR. The target is to show the reduction from search ring LWR to decision ring LWR. Let me give me ring LWR samples and decision ring LWR order of D. We wish to optimize. So order of D is defined to order one, the input pair is ring LWR sample and the order of zero if the pair is random. At high level, finding S is equivalent to finding coefficients of S under basis B. And our techniques are similar to that of LPR10 which shows to the randomness of ring LWR. Our reduction pass is as follows. Step one shows if search ring LWR is hard, then the intermediate search problem PI ring LWR is also hard. Step two shows a reduction from PI ring LWR to an immediate worst case decision problem D ring LWR sub i and the step three shows the reduction from D ring LWR sub i to the allergic case problem decision ring LWR. We remarked that step three contains two soft steps which will be explained next. Let me elaborate the reduction chain. As we mentioned before, step three has two soft steps. The first one is a hybrid argument which shows that if there exists an algorithm D can distinguish the pair A B from random pair. Then there must exist a distinguisher D, D i z can distinguish the pair A B mod PI from the pair A random U mod PI. Here we use the property that are sub Q by R P. It can be factorized into the tensor of sub rings under isomorphism. The second step is worst case to allergic case reduction which means that we can solve problem for uniform S then we can solve problem for OS. This step involves the re-realization technical similar to PGMRR 16. In detail, we transform the pair A B into the pair A R B. Where R is a random invertible element then the new element A prime is also uniform and S prime equaling to R inverse times S is also uniform over the invert domain. Thus, this step requires S invertible. For step two, we use the standard guess and check a trick which means that using a D i to find S mod PI where D i distinguish the pair A B mod PI and A U mod PI as before. Given the pair A B mod PI, we transform it into A plus Q over P times S and B plus H plus V times G where V and H are defined appropriately and G is the guess of S mod PI. More precisely, V is defined as the element Z is uniformly random mod PI and zero otherwise. H is defined as uniformly random over P G. J is less than I and zero otherwise. The existence of V and H comes from Chinese Riemann theorem. We can say if G equals to S mod PI, the block of H plus V times G minus S in PI place is zero. Otherwise, it is uniformly random. The former case B prime plus H plus V times G minus S mod PI equals to B prime mod PI. And the later case is uniformly random as H plus V times G minus S mod PI X as a one-ton pair log. Therefore, we can use the Oracle DI to test two cases and try all possible values to find S mod PI because we need to try all possible values. The size of S mod PI should be fully which requires ID or P are highly speed. Furthermore, step one should say, finding S mod PI for some PI implies finding S mod PI. Here, we use the properties of automorphisms or Galois group. The pair A B mod P G can be transformed into the pair sigma IG A sigma IG B mod PI because for any ID or PI P G, there exists sigma IG side z sigma IG P G equals to PI. We wish that the pair of sigma IG A sigma IG B is a valid sample for the search Oracle SI. Side z sigma IG B equals to the rounding of sigma IG A times sigma IG S. And SI can output the sigma IG S mod PI. Then we can use the inverse of this automorphism to find S mod P G. And then finally output S mod PR by trying to remind CRO. So what is we need? It is a rounding, it is sigma of rounding equals to a rounding of sigma which means that the automorphisms somehow committed with the rounding operation corresponding to certain basis. How to achieve this? We find that rounding with respect to a long integral basis is what we need. Simply speaking, a long integral basis is the basis of our side z. Any automorphism sigma X as permutation over B which means that sigma equals to B up to our permutation. Equivalent with this basis, now we can compute sigma of a rounding S in this way. Here A times S can be interpreted by the integral compilation of basis B. The first equation is the definition of rounding with respect to the basis B. And the case that in a red frame uses the property of long integral basis because sigma B and B are the same basis. From the argument above, we know that the long integral basis is a key observation in our reduction. So we wish to determine the existence of long integral basis. Here Bird and Spicer show that a long integral basis are widespread if the underlying number field is extremely ramified over Q. This is the little involved. Specifically, the power-freeze of cyclon-comical rings satisfy this property. For better understanding, I give some simple examples. Here K equals to QZP0 for some prime P0 and R is ring of integers. Then they have a long integral basis at ZP0's power from one to P0 minus one. And when M equals to the product of a prime PI, then KNR have a long integral basis of the tensor of PI, where PI is the long integral basis of QZP. Now, we finish the reduction of pseudorandoms of ring at a time. And then go a further step to the final part. This result also answers the other open questions in prior works. Before presenting our contribution, I'd like to introduce an interesting reduction for playing at the ALWR proposed by the worker of Orwin, Cray and Pete Zeck and Wix in 2013. Their idea is used at ALWR to show the pair and the running of A times S is computationally indistinguishable from the pair A and it's running of random element. And the K2 of their reduction is an efficient or lossy simpler with the following two properties. The first one in Z, the matrix ATL output by the lossy simpler. Z literally implies that ATL is computationally indistinguishable from random matrix A. The second one is the pair ATL and the running of the ATL times S preserve much of the entropy of S. The reduction pairs is as follows. Step one, switch A to ATL or reverse by other way of assumption. Step two is proved in the information theoretic way which relies on the left over H lemma over GQ. This can even show the reduction for the case of leaky secret. However, AKPW's approach cannot be applied to ring LWR. This is because one ring element A is usually invertible and it is impossible to define the lossy simpler in this case. Furthermore, even if A is not invertible and the lossy simpler is defined as the running ATL times S is here does loss preserve enough entropy for extraction. In fact, ring LWR under certain leaky scenario is insecure, we brief the attacks as follows. We show that search ring LWR can be solved if the secret S completely defaults into some idea factor J of QR. Actually, S is with no information on J's complement J bar or complete a leak on J bar. The high level is that J R is sub lattice of R and J R is more sparse than R. So large perturbation over R is relatively small to J R. And then we can apply Bobbi's algorithm to decode the perturbation. Okay, from this part, we introduce our new hardest result of module LFL. And then the module LFL defined as follows. We want to show a reduction from decision ring LWR to decision module LWR even with leakage. Yeah, let's recall AKPW approach again. We can generalize it to the ring setting as follows. Similar to AKPW, we can define the lossy simpler over RINs and the computational indistinguishability of step one relies on ring LWB. And the running of ATL times S preserve a large entropy of S if K is large. But the main barrier is that there is no ring level of LWR dilemma. We finally get rid of this barrier by showing a ring level of LWR dilemma. The high level is our inner product over RIN is a good extractor. In order to interpret this dilemma more precisely, we first introduce the hash function family index by vector A in R sub Q to the K. The computation of input X in the inner product of A and X model QR. We can also define the function and output distribution D HRQ as a distribution of the pair FA and B. Where FA is sampled from the function family edge and B equals to FAX for sum X as sampled from the input domain. So the targeted to show the distribution D HRQ is statistically indistinguishable from uniformly random distribution. Our main result is that we bound the statistical distance of the two distributions by this way. This bound is determined by some of the loans of idea factor Q of QR and the collision probability of input domain mark Q. We sketch our ideas, the ideas of our proof as follows. We first use the one known to know inequality to bound the statistical distance by collision probability of D. And the partitions are remaining probability by ideas. It needs to point out that Miss Yang-Chal and Morse approach of partition by GCD is not applicable to our case because we cannot define GCD for long unique factorization domain. We also rely on the Chinese remand theorem. And it's the fact that the idea P, the prime idea PI is isomorphic to the idea generated by two elements Q and F IR for some moniker irreducible F IR. For more detail, please refer our papers. The statement of our left-over dilemma is a little involved. Here, we can apply it to concrete cases. From our lemma, we know that for general ring, we, the statistical distance between the pair of ring vector A, the inner product of A as mod QR and the random pair is bounded by a vessel when as mod any idea factor Q has enough entropy. For cyclomic ring, the entropy requirement of S can be weakened. And if we consider the idea QR with large idea factor, the entropy of S mod Q can be smaller. It leads to remark that when QR has low leading property, then the norm of idea factor factors are large, which means that S with small dimensions sufficiently preserve enough entropy. And from the results above, smaller entropy of S mod Q is needed. So this case leads to small parameter size when applying our ring left-over dilemma. On the other hand, highest leading of QR corresponds to large parameters size. Yes, it may be able to accelerate the computation. For example, when Q equals to one mod two N, we can apply the NGT library to accelerate the computation. So there is a trade-off between the efficiency of space and the computation when applying our lemma. Finally, let me conclude this talk. From this talk, we know that in any cyclomic ring, a ring at the round is to the random if ring at the round is one way and the QR are completely displaced. Why does this hold in more general resettings? And module at the round is to the random even with leakage if ring at least to the random and the secret S contains enough entropy mod any idea factors of QR. But we don't know if this holds for ring at the round. Okay, thank you.