The Ring-LWE Problem in Lattice-Based Cryptography: The Case of Twisted Embeddings

Several works have characterized weak instances of the Ring-LWE problem by exploring vulnerabilities arising from the use of algebraic structures. Although these weak instances are not addressed by worst-case hardness theorems, enabling other ring instantiations enlarges the scope of possible applications and favors the diversification of security assumptions. In this work, we extend the Ring-LWE problem in lattice-based cryptography to include algebraic lattices, realized through twisted embeddings. We define the class of problems Twisted Ring-LWE, which replaces the canonical embedding by an extended form. By doing so, we allow the Ring-LWE problem to be used over maximal real subfields of cyclotomic number fields. We prove that Twisted Ring-LWE is secure by providing a security reduction from Ring-LWE to Twisted Ring-LWE in both search and decision forms. It is also shown that the twist factor does not affect the asymptotic approximation factors in the worst-case to average-case reductions. Thus, Twisted Ring-LWE maintains the consolidated hardness guarantee of Ring-LWE and increases the existing scope of algebraic lattices that can be considered for cryptographic applications. Additionally, we expand on the results of Ducas and Durmus (Public-Key Cryptography, 2012) on spherical Gaussian distributions to the proposed class of lattices under certain restrictions. As a result, sampling from a spherical Gaussian distribution can be done directly in the respective number field while maintaining its format and standard deviation when seen in Zn via twisted embeddings.

On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial

Recently, Blanco-Chacón proved the equivalence between the Ring Learning With Errors and Polynomial Learning With Errors problems for some families of cyclotomic number fields by giving some upper bounds for the condition number Cond(Vn) of the Vandermonde matrix Vn associated to the nth cyclotomic polynomial. We prove some results on the singular values of Vn and, in particular, we determine Cond(Vn) for n = 2kpℓ, where k, ℓ ≥ 0 are integers and p is an odd prime number.

Upper bounds on relative class numbers of cyclotomic fields

We explain how one can use the explicit formulas for the mean square values of L-functions which we established elsewhere to obtain explcit upper bounds on relative class numbers of cyclotomic number fields. As an example, we show that the relative class numbers of the cyclotomic fields of conductor 4p, p ≥ 3 a prime, are less than or equal to 8√p(p/16)(p−1)/2.

Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups

A black-box secret sharing scheme for the threshold access structure T_t,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the black-box secret sharing problem as the problem of devising, for an arbitrary given T_t,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players, n, is minimal. <br /> Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multi-party computation over black-box rings. <br /> In 1994 Desmedt and Frankel have proposed an elegant approach to the black-box secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given T_t,n with 0 < t < n-1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. <br /> Using low degree integral extensions of Z over which there exists a pair of sufficiently large Vandermonde matrices with co-prime determinants, we construct, for arbitrary given T_t,n with 0 < t < n-1, a black-box secret sharing scheme with expansion factor O(log n), which we show is minimal.

Class number of (v, n, M)-extensions

An analogue of cyclotomic number fields for function fields over the finite field q, was investigated by L. Carlitz in 1935 and has been studied recently by D. Hayes, M. Rosen, S. Galovich and others. For each nonzero polynomial M in q [T], we denote by k (ΛM) the cyclotomic function field associated with M, where k = q(T). Replacing T by 1/T in k and considering the cyclotomic function field Fv that corresponds to (1/T)v+1 gets us an extension of k, denoted by Lv, which is the fixed field of Fv modulo . We define a (v, n, M)-extension to be the composite N = knk (Λm) Lv where kn is the constant field of degree n over k. In this paper we give analytic class number formulas for (v, n, M)-extensions when M has a nonzero constant term.