Abstract
Learning with Errors (LWE) and Ring-LWE (RLWE) problems allow the construction of efficient key exchange and public-key encryption schemes. However, while improving the security through the use of error distributions with large standard deviations, the decryption failure rate increases as well. Currently, the independence of individual coefficient failures is assumed to estimate the overall decryption failure rate of many LWE/RLWE schemes. However, previous work has shown that this assumption is not correct. This assumption leads to wrong estimates of the decryption failure probability and consequently of the security level of the LWE/RLWE cryptosystem. An exploration of the influence of the LWE/RLWE parameters on the stochastic dependence among the coefficients is still missing. In this paper, we propose a method to analyze the stochastic dependence between decryption failures in LWE/RLWE cryptosystems. We present two main contributions. First, we use statistical methods to analyze the influence of fixing the norm of the error distribution on the stochastic dependence among decryption failures. The results have shown that fixing the norm of the error distribution indeed reduces the stochastic dependence of decryption failures. Therefore, the independence assumption gives a very close approximation to the true behavior of the cryptosystem. Second, we analyze and explore the influence of the LWE/RLWE parameters on the stochastic dependence. This exploration gives designers of LWE/RLWE based schemes the opportunity to compare different schemes with respect to the inaccuracy made by using the independence assumption. This work shows that the stochastic dependence depends on three LWE/RLWE parameters in different ways: i) it increases with higher lattice dimensions (n) and higher standard deviations of the error distribution (\(\sqrt{k/2}\)); and ii) it decreases with higher modulus (q).
G. Maringer and T. Fritzmann contributed equally to this work.
G. Maringerâs work was supported by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) under Grant No. WA3907/4-1. T. Fritzmannâs work was supported by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) under Grant No. SE2989/1-1.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alkim, E., et al.: NewHope: algorithm specifications and supporting documentation (2018). https://newhopecrypto.org/data/NewHope_2018_12_02.pdf
Avanzi, R., et al.: CRYSTALS-Kyber: algorithm specifications and supporting documentation (2019). https://www.pq-crystals.org/kyber/data/kyber-specification-round2.pdf
Commentators-LAC: Official comments LAC (2018). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/LAC-official-comment.pdf
DâAnvers, J.P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on Ring/Mod-LWE/LWR based schemes. Technical report, Cryptology ePrint Archive, Report 2018/1172 (2018)
Fluhrer, S.R.: Cryptanalysis of ring-lwe based key exchange with key share reuse. IACR Cryptology ePrint Archive 2016, 85 (2016)
Fritzmann, T., Pöppelmann, T., Sepulveda, J.: Analysis of error-correcting codes for lattice-based key exchange. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 369â390. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_17
Götze, F., Sambale, H., Sinulis, A.: Higher order concentration for functions of weakly dependent random variables. arXiv:1801.06348 (2018)
Lu, X., Liu, Y., Jia, D., Xue, H., He, J., Zhang, Z.: Supporting documentation: LAC (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-2-Submissions
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1â23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
McEliece, R.: The Theory of Information and Coding. Cambridge University Press, Cambridge (2002)
Oloff, R.: Wahrscheinlichkeitsrechnung und MaĂtheorie. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-53024-5
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84â93. ACM, New York (2005). https://doi.org/10.1145/1060590.1060603. http://doi.acm.org/10.1145/1060590.1060603
Saarinen, M.J.O.: Supporting documentation: HILA5 (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379â423 (1948)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Influence of k on the Stochastic Dependence
As mentioned in Subsect. 6.2, NewHope parameters with an increased variance of the error distribution are used to show the influence of k on the stochastic dependence of decryption failures with finer granularity.
Figure 6 shows the influence of the variance of the error distribution on the probability of the number of decryption failures. The results show that increasing the variance increases the failure rate. It is also shown that the deviation between independence assumption and experimentally determined curves is increased for larger k.
Table 3 shows the Pearson correlation, l1-distance, and mutual information for \(k=40\) and \(k=52\). The results show an increase of the stochastic dependence when k is increased.
B Statistical Estimation Error of \(p_b\)
In order to obtain the results presented in Figs. 1 and 2, it was necessary to estimate the failure probability \(p_b\) of a single coefficient. This was accomplished using a Monte Carlo simulation. We denote the number of samples as n and the number of errors within those samples as \(n_e\). We estimate \(p_b\) with
In the following we justify why the error inflicted by using the estimation \(p_b'\) of \(p_b\) is negligible.
Therefore, the basic task is to use the knowledge of n and \(n_e\) obtained from the experiment to find an interval in which \(p_b\) lies with high probability. This interval is denoted in the following as the confidence interval \([p_1,p_2]\). The probability for \(p_b\) to be in this interval is denoted as the confidence level \(c_l\). The confidence interval depends on the demanded confidence level \(c_l\), n and \(n_e\).
The following approach is analogous to the description in [11].
We define the variable
where norminv(.) denotes the inverse of the cumulative distribution function of the standard normal distribution.
Then
As in general \(g \ll n\) the confidence interval is approximately centered around \(p_b'\).
Example 2
In this example the algorithm LAC256 with Round 2 sampling is considered. We consider only failures within the first coefficient in the Monte Carlo simulation. Due to symmetry the likelihood of an error is the same within each coefficient.
We fix the demanded confidence level to \(c_l=99\%\). The results of the Monte Carlo simulation show that \(n_e = 560305194\), \(n=10^{11}\). Therefore,
The results show that the length of the interval relative to \(p_b'\) is \(0.0217\%\) for a confidence level of \(99\%\). Therefore it is possible to approximate the actual \(p_b\) with \(p_b'\) obtained using a Monte Carlo simulation.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Maringer, G., Fritzmann, T., SepĂșlveda, J. (2020). The Influence of LWE/RLWE Parameters on the Stochastic Dependence of Decryption Failures. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-61078-4_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61077-7
Online ISBN: 978-3-030-61078-4
eBook Packages: Computer ScienceComputer Science (R0)