 Large modulus spring LWE is bigger or equal to module LWE and METEO is going to be the top. Can you hear me? Is this on? No? No. Okay. Can you hear me now? Yeah. Today I'm going to be presenting some joint work I did with my PhD supervisor, Martin Albrecht, that basically relates to how much module LWE and large modulus spring LWE. Since I'm the first talk of the session, I'll start by finding some LWE and the variants that we're interested in, so ring and module LWE along with a short motivation as to why we would even want these different variants. Okay, so secondly, I'll go into the main results of our paper that basically reduces from module LWE to ring LWE after some tangent parameters. And finally, I'll talk a bit about a consequence of the reduction. Okay, so to start off with, what does a generic LWE type problem look like? Well, the idea is that you're given some uniform random A from some finite set and a search version of LWE would ask you to decode a noisy product. So you'd be given some B where B is A times S plus E for some small error and you'd be asked to recover the secret S. And the decision version of LWE basically asks to distinguish between the cases where B is a noisy product or whether B is a uniform random element. Okay, so for the original LWE problem, AMS are actually n-dimensional vectors where the entries of these vectors are integers module OQ. So all sort of arithmetic here is done over integers module OQ. And E is itself an integer and it tends to come from some distribution. So usually we assume that the error is somewhere from a discrete Gaussian distribution of integers. So that's what this case of sigma stands for. So sigma is basically relating to the width of the discrete Gaussian. And we usually take the secrets from the same distribution. So this is what's referred to as a normal form secret. And we do this because sampling secrets from the error distribution leads to a problem that at least as hard as sampling secrets uniformly. Okay, so when we tried to represent M L W E samples using matrices and vectors, what we end up with is this first component being an N by M-dimensional matrix where the columns are uniform vectors. And the second component is this M-dimensional vector B because we have M L W E samples here where each entry is basically the result of a noisy inner product. Okay, so and now when we're considering practical ring L W E, all that changes is that B, A, S and E are now sort of ring elements. And a typical choice of a polynomial ring is given on this slide. So these rings are called parity cyclomic rings. So once again, the idea is that you're given some uniform random polynomial, now A from this ring. And the search version asked to recover S from B for these noisy products where small e basically means that each coefficient on its own is a small integer when considered module. Okay, so the decision version would be simply to distinguish whether B is a noisy product or whether B is uniform random. Okay, so once again our error distribution is usually taken to be a discrete Gaussian of narrow width sigma. So now we're basically sampling the coefficients from this error distribution. Okay, so how do we represent one ring L W E sample using the same matrix vector notation as we did before? Well, the first component is this n-dimensional coefficient vector A and the second component is also an n-dimensional coefficient vector where each coefficient is basically the result of a noisy inner product. And the interesting thing here is that this matrix, well, the rows of this matrix are basically heavily correlated. So we tend to say that one ring L W E sample is in some sense equivalent to n-structured L W E samples. Okay, so now for practical module L W E, well, all that changes now is that A and S are now module elements and by a module element what I mean is that a D2 for a ring element. So once again we have the same sort of analogous definitions for search and decision module L W E where module multiplication is basically given by this kind of analogous thing to inner products of the vectors. So once again we have the same error distribution so we usually take the coefficients to be some sort of discrete Gaussian with sigma and writing things out in matrix and vector notation we end up with the following. So we have first component being n times D-dimensional coefficient vector now because remember we have D-ring elements making up this A and the second component is simply an n-dimensional coefficient vector where each entry or each coefficient is given by some noisy inner product. So in some sense we have that one module L W E sample is equivalent to n-structured L W E samples. Okay, so what are the popular rings that people use in practice while we usually stick to a priority cyclotomic rings and one of the main reasons for this is that we can actually form extremely fast ring multiplication by using non-theoretic transform techniques. So when sort of restricting to this form of ring the effective dimensions we can achieve are essentially for ring L W E at least are essentially the powers of two. So typically a typical choice might be that we choose a ring dimension of 1024 but what happens if we want to increase security by increasing this ring dimension while we have to jump all the way to 2048 in order to do this. So there's a huge jump in order to potentially gain a small amount of security. Right, this might affect our scheme in terms of force it's quite a lot but this kind of drawback can be mitigated by using module L W E because you can basically fix a small underlying ring of say dimension 256 and then set your module rank D to be whatever you want so you can effectively go from 1,000 dimension 1024 to 1024 plus 256 if you want to sort of increase your security. So the only kind of drawback of playing this trick is that multiplying module elements kind of costs a little bit more than multiplying ring L W E elements or ring elements of the same effect as I mentioned. So here's a short summary of what we know about the efficiency and lattice hardness of these L W E variants. So the first row basically says how many integers module O Q are required to represent so N noise in the products or N potentially structured L W E samples. So as you can see as we read from left to right we go from the least efficient to the most efficient but on the other hand the second row basically says that L W E is at least as hard as finding short vectors of a general lattice is module L W E the same but for module lattice and ring L W E the same but for ideal lattice. So the idea here is that as we go from left to right we go from a general problem to a more structured problem and therefore potentially our hardness guarantee is less sort of less strong. Okay so just before we get into the main reduction about paper or the main result about paper it should be clear that you can reduce from ring L W E to module L W E. So you would do this by starting off with some ring L W E sample so everything in red is basically something and the way you produce the module L W E sample is simply to sample a uniform A1 and an S1 from the appropriate sequence distribution and then all of a sudden your bold A along with B plus A1 S1 is a valid module L W E sample for the bold A and bold S ring on the slide. Okay so it's clear that module L W E is at least as hard as ring L W E when we fix Q which was the modulus and the error rate alpha where alpha is sigma over Q. So remember that sigma is the effective size of your error. Okay so what happens when you allow yourself to change Q and alpha? Well you can actually go the other way. So in the paper we basically show that there's a reduction that goes from module L W E in rect D and modulus Q to ring L W E in modulus Q to D and the main proof technique or main analysis technique are basically inspired by the classical hardness of learning of various paper. So if you know that work you'll probably see a lot of parallels drawn to this presentation. Okay so just before we start with introducing the overview of the reduction what I've kind of already defined is what you would use or I've basically defined the practical definitions of ring L module L W E but now since we're kind of reducing between problems we should really use the form of definitions and basically what I have on the slide is basically one step closer to the form of definitions of ring module L W E. So what changes really is that B before each coefficient was an inch of module L Q but now we're going to consider it to be lying in the continuous interval between 0 and 1. So in order to do this what all we do is we divide by Q and then make the error continuous. So the division by Q explains where there's a 1 over Q in front of the 8 times S and then we also have to note that E is now continuous Gaussian of width alpha where alpha is sigma over Q so the division by Q comes into this width as well. Okay so as an overview of what we want to achieve in our reduction we want to send uniform module elements to uniform ring elements and we also want to map our map between secrets to be somewhat reversible if we want to form a search-to-search reduction. And the last thing we want is that B tilde where B tilde is sort of our final target ring L W E and since we want that B tilde is a valid noisy product of A tilde and S tilde so we want this E tilde on the bottom right-hand side to be a continuous Gaussian of narrow width. Okay so here's the sort of intuition for the case where D equals 3 so the idea is that we're going to set the lower bits of the coefficients of A tilde to be the bits of the first polynomial the middle bits of the coefficients of A tilde to be the bits of the middle polynomial and the upper bits to be the coefficients or the bits of the coefficients of the final polynomial. And the same sort of thing holds for X but we do the same thing quite in the reverse direction. Okay so concretely we have A tilde that is A naught plus Q A1 plus Q squared A2 and S tilde is S2 plus QS1 plus Q squared S naught and what we have when sort of doing this math thing is that the normalized product of A tilde and S tilde is roughly equal to the normalized product of our original module elements when taken to line the continuous interval between 0 and 1 which more or less suggests that we can take B tilde to equal B and this is basically the error distribution that arises when doing this sort of simplified version of the reduction. So the right hand side is basically our error distribution or gives rise to our error distribution and the good thing about the first term is that it's already continuous narrow Gaussian so in essence we're targeting continuous narrow Gaussian so the first term is basically exactly what we want and this first term comes from the error from our original module LW sample the second term is this sum and the good thing about the sum is that it's small so it's small because we're only considering entities where I is bigger than J but the bad thing about this sum is that it obviously doesn't constitute a continuous Gaussian because these A, J and N size are basically three things and the second thing is that the coefficients if you were to expand this entire polynomial out you would have that the coefficients aren't independent but you can somewhat overcome this second issue by using the canonical embedding because of the way polynomial multiplication looks like in that space so what are the technicalities in the full reduction so what do we do in our paper well the problem is that we end up with an unknown bad error distribution that depends on our secret this unknown secret so we actually end up with some sort of discrete distribution of a sum lattice that depends on this and then to solve this problem we basically form this in essence the same reduction but in some randomised way and then we end up having to drown out this structure in our error distribution in some way so in order to do this we basically apply some techniques from the DJI's white paper and also if you read our paper you can see that we do in fact consider the canonical embeddings and dual rings as well as basically considering brand new divergence arguments throughout because we kind of know that this allows us to target a final error distribution that is a spherical Gaussian so when all is said and done what we have is an error expansion of n squared times root d but if you had to be satisfied with a small error distribution rather than exactly targeting a Gaussian error distribution you would probably not bother drowning and you would see a square root n d error expansion in practice ok so here is the summary of the result and it turns out that you can also play the same game but within a ring so you can have a reduction that goes from ring on w e to ring on w e that halves the dimension but squares the modulus ok so briefly I'm going to sort of tell you what Fritz analysis says about the hardness of ring on w e when you increase q but fix alpha so a requirement for say the prime will have to work is that alpha must be less than or equal to q to the minus m plus 1 over m plus n plus 1 so here m is basically the number of samples available to you so if you have one ring on w sample you effectively have m noisy in a product available so m in this case would be less than or equal to n ok so what happens when you replace q by q to the d well you end up with this second inequality which is basically harder to satisfy than the first so for any kind of scenario where you have a maximum number of ring on w e samples available to you you can basically keep increasing this d until the second inequality is not satisfiable so in some sense it appears that ring on w e gets harder if we increase the modulus ok so what does the standard reduction from lattice problems say about ring on w e well it says as long as alpha q is going to something asymptotic in root log n then ring on w e is at least as hard as finding short vectors over ideal masses to approximation factor gamma so we're not looking for the shortest vector or the thing for things in length gamma times the shortest vector so the interesting thing is this gamma is independent of q so if we replace q by q to the d we get the same hardness guarantee so to summarize the different perspectives we have that for cryptanalysis it seems like increasing q makes things harder but increasing q doesn't really change things from the perspective of the theorem from a previous slide ok so if you try and build a hardness landscape around r reduction this is essentially what you get so you get the top row the top like double-ended arrow is basically in a equivalent between ring on w e and module l w in rank 1 the arrows going from right to left are a result of the trimmel or straight forward reduction that goes from ring on w the module l w in any rank and finally the arrows going from left to right are a result of the main reduction of bar paper so the one that goes from module l w to ring on w e so if you read down the right hand side you do get that the hardness of ring on w e appears to increase as we increase the modulus ok so just to conclude the talk corollary of our work is that we've shown that certain ring on w e instances are at least as hard to solving the module s i d p property and this kind of conclusion is basically utilizes the hardest guarantee given in the original module l w paper so also this result augments the result that says ring on w e so at least it's finding short vectors of ideal answers the only thing to keep note of is that when we perform our reduction from module l w to ring on w e we're actually reducing to a ring on w e problem that appears to be slightly harder than the ones used in the literature so in particular they require a larger module lattice rank in order to be able to solve nonetheless we basically showing that for any module l w problem you can define a ring on w e problem that's at least as hard to solve as your original module l w problem and we've shown especially what the relationship between the parameters should be ok so that's all I have to say and thanks for listening