 Hello, and thank you for clicking on this video where I will be talking about the integer polynomial learning with errors problem Which we studied with Amin Saxad, Damien Stedé and Ron Steinfeld Before starting, I will give a brief overview of our results and to do so I need to introduce an informal definition of both such polynomial learning with errors and such integer polynomial learning with errors. In both cases You are given samples of the form AAS plus E and in both cases you must find S The main difference is that in SPLWE everything is a polynomial mod F and It's in SIPLWE What you do is you substitute Q to the unknown X so instead of having polynomials You now have integers mod F of Q because you also substituted Q to the unknown X in F So they are very similar and We actually proved that they are computationally equivalent for a large class of modules F Moreover on top of that we give a one-way CPA secure public encryption schemes And its security relies on the such IPLWE assumptions Indeed the security of PLWE is already well studied and well known But the integer variant of the problem is quite new actually It was only studied in the worst case for one modulus and there is some concrete security analysis, but Everything else is missing However, module extension of this problem was considered in one of the second round NIST candidates which is called Freebers for this polynomial which and As such interest it's interesting to to see if it's possible to get the reduction we found Notably because it's a way to prove the security of Freebers, but it's also A way to it's also yeah, we paved the way for new cryptosystems based on IPLWE instead of PLWE and It's interesting because you can take advantage of the security of PLWE and that's the same time You can use fast large integers arithmetic in the following 20 minutes. I will first Formally this time describe the problems then we'll see that the difference between them is the carries I will then state the reduction and Explain how the public encryption works Before stating the formal definition of the problems I need to give you two tools the first one is how to sample Gaussian distribution over polynomials It's actually done by identifying the polynomial with its coefficient vector k That's the only thing we have to do We first introduce the following notation for The following act of sampling first the coefficient vector and then turning it into a polynomial We then need a way to go from polynomials to integers and to do so we Introduce the polynomial evaluation by first stating that if I have polynomial with coefficients in minus q over 2 q over 2 I simply Substitute q to the unknown x and I get an integer in Z To extend it to zqx what we need to do is take representatives of the coefficients of The polynomial in minus q over 2 q over 2 and apply this recipe Then if I want to extend it to zqx over f I simply take a representative of the polynomial Which has degrees quickly less than f and Then I apply the previous recipes to compute its evaluation in Z Thanks to that we are not ready to describe the polynomial learning with our problem So in all of the following talk I will be taking q odd f will always be x to dm plus 1 but not not that q can be taken even it works also and Difference f are available to us too. This is all done in the full paper, but for simplicity I restrict myself to these two cases and We also need two Gaussian parameters Then the PLW e problem is given this kind of samples are compute the secret Where the secret follows a Gaussian distribution AI is uniformly sampled over polynomials mod f And e I follows also a Gaussian distribution It's important to note that Sigma prime is different from Sigma That's necessary for our our reduction However, the standard case is Sigma equal Sigma prime. So How do we go from there? Well, it's easy to actually reduce the standard case to ours by adding some noise to Get a different noise level and secret noise level to describe a first attempt at IPLW e at defining IPLW e we could do the following Before we take any polynomial we evaluate it before we compute the samples we evaluate each polynomial And we get something mod f of q by applying mod f of q at the end This is actually not the right way of doing things because we have more integers than polynomials and this creates a few problems one of them is for instance that the support of the uniform Distribution of the evaluation of the uniform distribution is not the full set is eq to the n plus one So it's quite problematic and The right way to do things It's actually to sample a I directly uniformly over the f of q and We actually compute we actually sample one more coefficient for the noise and for the secret until we are in This range which will be used as representative as the representatives range for Zfq So why do we and we want to do so for the noise because we want the domain of the noise to be bigger than Well the the integer ring However, we may have some big rejection probability so to reduce it It's actually possible to just sample the first and coefficients and then only add or subtract q to dm with some probability Because as soon as we add or subtract to q to dm, we will always be outside of this range and first rejected It's important to note that this is a different noise and secret distribution than the gene than the original Definition because as I said we want to get noise over We want the domain of the noise to be bigger than the whole set Zf of q So we've seen how to go from polynomials to integer But how do we go from integers to polynomial? The idea is to write the q-ary decomposition of integers But to center the coefficients instead of taking Coefficients in 0 q minus 1 we take them in minus q over 2 q over 2 With this definition we can also decompose negative Integers, which is something we want to do and Then the the map phi q is defined as the map which to an integer a Maps the polynomial which coefficients whose coefficients are the coefficients of the q-ary decomposition But then it has good properties because it's a good it's by ejection and its inverse is simply the polynomial evaluation So this is what we were looking for However, remember we are working from Zfq to Zqx over F So that we do not quite have the right domain But it's it will be easy to fix simply by applying mod f of q and mod f reduction wherever needed This is what we do and we actually set as I said This range as the representative range for the f of q so as long as we are able to turn Elements of this range into polynomials in Zqx over F We will consider that we can do it for the f of q And to do it. Yeah, as I said, we simply apply a mod f reduction This is still interesting Because if I take any polynomial first evaluated mod f of q and then apply phi qf I find P back. So this means that phi qf is subjective the evaluation mod f of q is injective But we cannot hope to have by ejections because phi qf has collisions Notably because we have more integers than polynomials so it is the right notion, but it's not ideal either and We will see that it's even less ideal because phi q is not morphism and phi qf will be even less morphism if I can say that Let's take an example if I compute phi 3 of 2 I get x minus 1. It's 3 minus 1 Phi 3 of 3 is x But if I add both polynomials I get minus x minus 1 because I'm working mod 3 but the sum of But the sum should be x square minus x minus 1 And what's the difference? It's because if I do the school book addition of 2 plus 3 I Get 0 minus 1. That's the minus 1 I get here. I get x plus x. I get 2x so I get minus x, but I have a carry and Reporting the carry I get the x square that I found here so actually The main difference between operations for polynomials and operations for integers with our way to view things it's the it's the presence or absence of carries as Such if we compute Phi q of a plus b minus phi q of a plus phi q of b This is exactly the carries that happened in the school book addition of a plus b in the basis q the same thing goes for multiplication and We are able to bound the size of the carries Okay, so it's at most one in the case of additions But in the case of multiplication, we are only able to bound it are using the size of a and b which Has some which brings some trouble But remember here we are working From z to zqx and we want to work but f of q and mod f so We define the same thing, but this time with mods wherever needed and We simply have to go from the following observation Every time I want to compute a mod be it's polynomial or integer I just need to add or subtract a Certain number of time a certain quantity so in the end I'm able to express the the carries mod f and mod f of q as functions of the previous carries that I had and All of that so yeah, for instance If I want to compute Phi q of a plus b mod q to the m plus 1 mod x to the m plus 1 then I have two addition carries because I have at most two additions two integer additions a plus b and then plus or minus q to the m plus 1 and Then I have a few addition subtraction or subtraction or of q to the m plus 1 in the end we found the following bounds on the carries and And yeah as before it's constant for additions and dependent on the size of a and b for multiplication and if I take a uniform which will be Happening in the s IPL w e problem then the second bound Can be expressed on Depending on the size of b sorely and that's why we need a small p l w e pro secret We want this bound to be useful With that said we are almost ready to state our reductions and before stating the reduction We need I need to give you the right tool for the job, which is the rainy divergence We won't be using the statistical distance, but rather the divergence Because we have a pretty nice lemma which tells us that if I have two Gaussian distributions with same standard deviation, but different center then I have this bound on the divergence between both of them Divergence Has some pretty nice properties and the most useful of them for our case is the data processing inequality Which lets us remove f in our bounds and the multiplicativity Bound which lets which lets us handle the case of Couples so When we have a sample we need to deal with a couple so that will be important And finally the most important one is the probability preservation because it states that if If e is an event for instance an adversary a wins a certain game Then I can lower bound the probability of it happening under Q With the probability of it happening under P and the rainy divergence So as long as divergence is polynomial, we have a security ready. We can have a security reduction And it's easier to have this quantity polynomial Than if we use the statistical distance So to give you the intuition of the reductions Let us first take a look at how we go from polynomials to integer We compute the evaluation in Q for each sample okay And we give it to the SIPLW e-solver and we get an answer that we hope is the right answer And to get from integer to polynomial as we said we write as polynomials are integer by applying Phi qf on both components of each sample To give you a rough and very high level reduction analysis We have the four following points the first one states that if I evaluate Let's us focus only on this part of the reduction If I evaluate my polynomials, it can be seen as Unevaluated polynomials time the evaluation of the over polynomial plus some noise where the noise is The noise we had at the beginning minus the carries that we did not have in the polynomial operations so We need to check that the divergence between the distribution of AI of Q and the uniform distribution over the whole set It it should be at most three This is the first part and then we want to apply the previous lemma about The divergence of Gaussian distributions with same Standard deviation and they should give us something like that and then using multiplicativity that are processing inequality we should be able to get ourselves out of trouble, but There are two main problems the first one is that the divergence is defined If on and only if we have some support inclusion as here and that's not the case in this That's not the case here So there is one problem first and the second problem is that the The offset is actually dependent on the noise we have sampled. So we cannot directly apply the previous lemma But these are these are all technical stuff that we took care of in the paper So it's just to show you that it's a bit more complicated than expected But in the end it all works and we get the following result If this quantity is satisfied Then SPLWE with parameters Q, sigma, sigma prime, T Renews to the integer version of it with Q, sigma, sigma prime and T as parameters So it's very interesting because there is no noise growth. No need for bigger noise This big equation might seem hard to Satisfy, but it's actually easy if you set the parameters in this order first the number of set poles T Then the degree of the polynomial M and from this point on you have to choose The first Gaussian parameter sigma prime such that M over sigma prime is small enough Then you can choose sigma to make this over sigma small enough and finally you choose Q big enough When compared to sigma sigma prime and Infinite norm of F depending on what kind of application you have in mind From that we also have the reverse Reverse reduction and this gives us that both problems are actually Equivalent and without any kind of noise grow So that's pretty interesting and from this we are able to To propose a public encryption based on the search version of integer polynomial learning with errors It's adapted from an already existing scheme but we use it with integer polynomial learning with errors and We must add some tweak to recover the randomness used in the encryption The key gen is pretty simple. We generate an SIPLW sample and use it as public key and keep the noise and the secret as secret key then to encrypt we Are compute the following quantity where the message is t e prime is second In the following we will need to assume for correctness that f of Q is prime and If that is the case when we have recovered t since a B and K are all public it then becomes easy to recover e prime and is second So the decryption algorithm focuses mainly on recovering t to do so we compute c2 minus c1s and We can see that it is e times t plus k times some stuff okay and What we do is we compute each come each coefficient of the decomposition of the Mod k and if k times tough is small enough Smaller than q for instance, then it will be erased By this operation and then the prime will only be it will only be equal to e times t hence to recover t we compute the prime times e to the minus one and Then as we said it's easy to recover e prime and is second So not only so yeah, the scheme is correct for f of q prime case small and for the following message space Where t e prime and is second are small too And it satisfies the one-way CPA security which states that If I am given a ciphertext for a plaintext, which I randomly sampled Following the following tail-cut tail-cut Gaussian distributions Then it's hard to compute the plaintext which was used for the encryption To give you an idea of the proof we first replace a and b with an evaluated plw e sample So these are no polynomial evaluated polynomials Are using the decision plw e assumption. It's indistinguishable from the uniform Distribution b is now is the indistinguishable from uniform But decision plw e is equivalent to search plw e which is equivalent to search I plw e Finally we notice that an encryption is almost a sample of the si plw e Distribution of two it's almost two samples of si plw e First it's hard to compute the plaintext back because it's hard to break si plw e by assumption the odd w cpa assumption is something which is Interesting because it can be turned into cca to key exchange mechanism in the random oracle model or quantum random oracle model using fujis fujis akiwaka moto transforms thank you for listening up until now and See you