The Geometry of Rings
Chris Peikert
Georgia Institute of Technology
ECRYPT II Summer School on Lattices
Porto, Portugal
2 Oct 2012
1 / 13
LWE Over Rings (Over-Simplified)
[LPR’10]
Ring R := Z[X]/(1 + X n ) for some n = 2k ,
Rq := R/qR.
2 / 13
LWE Over Rings (Over-Simplified)
[LPR’10]
Ring R := Z[X]/(1 + X n ) for some n = 2k ,
Rq := R/qR.
I Problem: for s ← Rq , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq
2 / 13
LWE Over Rings (Over-Simplified)
[LPR’10]
Ring R := Z[X]/(1 + X n ) for some n = 2k ,
Rq := R/qR.
I Problem: for s ← Rq , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq
I Errors e(X) ∈ R are “short.” What could this mean?
2 / 13
LWE Over Rings (Over-Simplified)
[LPR’10]
Ring R := Z[X]/(1 + X n ) for some n = 2k ,
Rq := R/qR.
I Problem: for s ← Rq , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq
I Errors e(X) ∈ R are “short.” What could this mean? Identify
e(X) =
n−1
X
ej X j
(?)
←→
(e0 , e1 , . . . en−1 ) ∈ Zn .
j=0
2 / 13
LWE Over Rings (Over-Simplified)
[LPR’10]
Ring R := Z[X]/(1 + X n ) for some n = 2k ,
Rq := R/qR.
I Problem: for s ← Rq , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq
I Errors e(X) ∈ R are “short.” What could this mean? Identify
e(X) =
n−1
X
ej X j
(?)
←→
(e0 , e1 , . . . en−1 ) ∈ Zn .
j=0
I Applications need (+, ·)-combinations of errors to remain short.
2 / 13
LWE Over Rings (Over-Simplified)
[LPR’10]
Ring R := Z[X]/(1 + X n ) for some n = 2k ,
Rq := R/qR.
I Problem: for s ← Rq , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq
I Errors e(X) ∈ R are “short.” What could this mean? Identify
e(X) =
n−1
X
ej X j
(?)
←→
(e0 , e1 , . . . en−1 ) ∈ Zn .
j=0
I Applications need (+, ·)-combinations of errors to remain short. Yes!
√
ke + f k ≤ kek + kf k
ke · f k ≤ n · kek · kf k.
√
√
“Expansion factor” n is worst-case. (“On average,” ≈ log n.)
2 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
3 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
I Encs (m ∈ R2 ): choose a “short” e ∈ R s.t. e = m mod 2. Let
c1 ← Rq
and c0 = −c1 · s + e ∈ Rq
and output c(S) = c0 + c1 S ∈ Rq [S].
(Notice: c(s) = e mod q.)
3 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
I Encs (m ∈ R2 ): choose a “short” e ∈ R s.t. e = m mod 2. Let
c1 ← Rq
and c0 = −c1 · s + e ∈ Rq
and output c(S) = c0 + c1 S ∈ Rq [S].
(Notice: c(s) = e mod q.)
Security: (c1 , c0 ) is an RLWE sample (essentially).
3 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
I Encs (m ∈ R2 ): choose a “short” e ∈ R s.t. e = m mod 2. Let
c1 ← Rq
and c0 = −c1 · s + e ∈ Rq
and output c(S) = c0 + c1 S ∈ Rq [S].
(Notice: c(s) = e mod q.)
Security: (c1 , c0 ) is an RLWE sample (essentially).
I Decs (c(S)): get short d ∈ R s.t. d = c(s) mod q. Output d mod 2.
Correctness: d = e, as long as e has Z-coeffs ∈ (−q/2, q/2).
3 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
I Encs (m ∈ R2 ): choose a “short” e ∈ R s.t. e = m mod 2. Let
c1 ← Rq
and c0 = −c1 · s + e ∈ Rq
and output c(S) = c0 + c1 S ∈ Rq [S].
(Notice: c(s) = e mod q.)
Security: (c1 , c0 ) is an RLWE sample (essentially).
I Decs (c(S)): get short d ∈ R s.t. d = c(s) mod q. Output d mod 2.
Correctness: d = e, as long as e has Z-coeffs ∈ (−q/2, q/2).
I EvalAdd(c, c0 ) = (c + c0 )(S), EvalMul(c, c0 ) = (c · c0 )(S).
3 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
I Encs (m ∈ R2 ): choose a “short” e ∈ R s.t. e = m mod 2. Let
c1 ← Rq
and c0 = −c1 · s + e ∈ Rq
and output c(S) = c0 + c1 S ∈ Rq [S].
(Notice: c(s) = e mod q.)
Security: (c1 , c0 ) is an RLWE sample (essentially).
I Decs (c(S)): get short d ∈ R s.t. d = c(s) mod q. Output d mod 2.
Correctness: d = e, as long as e has Z-coeffs ∈ (−q/2, q/2).
I EvalAdd(c, c0 ) = (c + c0 )(S), EvalMul(c, c0 ) = (c · c0 )(S).
Decryption works if e + e0 , e · e0 “short enough.”
3 / 13
Example Application: Homomorphic Encryption
[BV’11a]
2k
I R = Z[X]/(1 + X ), Rq = R/qR. Symmetric key s ← Rq .
I Encs (m ∈ R2 ): choose a “short” e ∈ R s.t. e = m mod 2. Let
c1 ← Rq
and c0 = −c1 · s + e ∈ Rq
and output c(S) = c0 + c1 S ∈ Rq [S].
(Notice: c(s) = e mod q.)
Security: (c1 , c0 ) is an RLWE sample (essentially).
I Decs (c(S)): get short d ∈ R s.t. d = c(s) mod q. Output d mod 2.
Correctness: d = e, as long as e has Z-coeffs ∈ (−q/2, q/2).
I EvalAdd(c, c0 ) = (c + c0 )(S), EvalMul(c, c0 ) = (c · c0 )(S).
Decryption works if e + e0 , e · e0 “short enough.”
Many mults ⇒ large power of expansion factor ⇒ tiny error rate α ⇒
big parameters!
3 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
ω3
ω2
ω1
ω1
ω4
ω5
ω5
ω7
Φ8 (X) = 1 + X 4
ω8
ω7
Φ9 (X) = 1 + X 3 + X 6
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
Non-prime power m?
7 Φ21 (X) = 1 − X + X 3 − X 4 + X 6 − X 8 + X 9 − X 11 + X 12
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
Non-prime power m?
7 Φ21 (X) = 1 − X + X 3 − X 4 + X 6 − X 8 + X 9 − X 11 + X 12
77 Φ105 (X) = [degree 48; 33 monomials with {−2, −1, 1}-coefficients]
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
Non-prime power m?
7 Φ21 (X) = 1 − X + X 3 − X 4 + X 6 − X 8 + X 9 − X 11 + X 12
77 Φ105 (X) = [degree 48; 33 monomials with {−2, −1, 1}-coefficients]
Annoyances
7 Irregular Φm (X) ⇒ slower, more complex operations
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
Non-prime power m?
7 Φ21 (X) = 1 − X + X 3 − X 4 + X 6 − X 8 + X 9 − X 11 + X 12
77 Φ105 (X) = [degree 48; 33 monomials with {−2, −1, 1}-coefficients]
Annoyances
7 Irregular Φm (X) ⇒ slower, more complex operations
√
7 Large expansion factor n – even super-poly(n)!
4 / 13
Other Rings: Cyclotomics
I Used in faster bootstrapping [GHS’12a], homomorphic AES [GHS’12b].
R = Z[X]/Φm (X) for mth cyclotomic polynomial Φm (X).
Y
√
Φm (X) =
(X − ω i ) ∈ Z[X], ω = exp(2π −1/m) ∈ C
i∈Z∗m
I Roots ω i run over all n = ϕ(m) primitive mth roots of unity.
“Power” Z-basis of R is {1, X, X 2 , . . . , X n−1 }.
Non-prime power m?
7 Φ21 (X) = 1 − X + X 3 − X 4 + X 6 − X 8 + X 9 − X 11 + X 12
77 Φ105 (X) = [degree 48; 33 monomials with {−2, −1, 1}-coefficients]
Annoyances
7 Irregular Φm (X) ⇒ slower, more complex operations
√
7 Large expansion factor n – even super-poly(n)!
7 Provable hardness also degrades with expansion factor: pay twice!
4 / 13
Talk Agenda
1
Cyclotomic rings and their canonical geometry
4 No expansion factor anywhere
4 Provable, tight hardness – same for all cyclotomics
4 Fast, modular ring operations
5 / 13
Talk Agenda
1
Cyclotomic rings and their canonical geometry
4 No expansion factor anywhere
4 Provable, tight hardness – same for all cyclotomics
4 Fast, modular ring operations
2
The dual ideal R∨ and ring-LWE
5 / 13
Talk Agenda
1
Cyclotomic rings and their canonical geometry
4 No expansion factor anywhere
4 Provable, tight hardness – same for all cyclotomics
4 Fast, modular ring operations
2
The dual ideal R∨ and ring-LWE
3
The decoding basis of R∨ and its properties
5 / 13
Talk Agenda
1
Cyclotomic rings and their canonical geometry
4 No expansion factor anywhere
4 Provable, tight hardness – same for all cyclotomics
4 Fast, modular ring operations
2
The dual ideal R∨ and ring-LWE
3
The decoding basis of R∨ and its properties
4
Benefits in applications: tight parameters, algorithmic efficiency
5 / 13
Talk Agenda
1
Cyclotomic rings and their canonical geometry
4 No expansion factor anywhere
4 Provable, tight hardness – same for all cyclotomics
4 Fast, modular ring operations
2
The dual ideal R∨ and ring-LWE
3
The decoding basis of R∨ and its properties
4
Benefits in applications: tight parameters, algorithmic efficiency
Based on:
LPR’10 V. Lyubashevsky, C. Peikert, O. Regev.
“On Ideal Lattices and Learning with Errors Over Rings.”
LPR’12 V. Lyubashevsky, C. Peikert, O. Regev.
“A Toolkit for Ring-LWE Cryptography.”
5 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
Reducing to the Prime-Power Case
I Let m have prime-power factorization m = m1 · · · m` .
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
Reducing to the Prime-Power Case
I Let m have prime-power factorization m = m1 · · · m` . Then
R = Z[X]/Φm (X) ∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
via Xi 7→ X m/mi . (Indeed, X m/mi has order mi .)
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
Reducing to the Prime-Power Case
I Let m have prime-power factorization m = m1 · · · m` . Then
R = Z[X]/Φm (X) ∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
O
Z[Xi ]/Φmi (Xi ),
=
i
via Xi 7→ X m/mi . (Indeed, X m/mi has order mi .)
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
Reducing to the Prime-Power Case
I Let m have prime-power factorization m = m1 · · · m` . Then
R = Z[X]/Φm (X) ∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
O
Z[Xi ]/Φmi (Xi ),
=
i
via Xi 7→ X m/mi . (Indeed, X m/mi has order mi .)
I R has tensor Z-basis {X1j1 · · · X`j` }, where each 0 ≤ ji < ϕ(mi ).
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
Reducing to the Prime-Power Case
I Let m have prime-power factorization m = m1 · · · m` . Then
R = Z[X]/Φm (X) ∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
O
Z[Xi ]/Φmi (Xi ),
=
i
via Xi 7→ X m/mi . (Indeed, X m/mi has order mi .)
I R has tensor Z-basis {X1j1 · · · X`j` }, where each 0 ≤ ji < ϕ(mi ).
Notice!: tensor basis 6= power basis {X j } for 0 ≤ j < ϕ(m).
6 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X) = 1 + X + X 2 + · · · + X p−1
2
For m = pe : Φm (X) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p
7 Otherwise, Φm (X) is less “regular” and more dense.
Reducing to the Prime-Power Case
I Let m have prime-power factorization m = m1 · · · m` . Then
R = Z[X]/Φm (X) ∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
O
Z[Xi ]/Φmi (Xi ),
=
i
via Xi 7→ X m/mi . (Indeed, X m/mi has order mi .)
I Bottom line: can reduce operations in R to independent operations in
prime-power cyclotomic rings Z[Xi ]/Φmi (Xi ).
6 / 13
Canonical Geometry of R
I R = Z[X]/Φm (X) has n = ϕ(m) ring embeddings (homomorphisms)
into C, each given by evaluation at a root of Φm :
X 7→ ω i for each i ∈ Z∗m .
7 / 13
Canonical Geometry of R
I R = Z[X]/Φm (X) has n = ϕ(m) ring embeddings (homomorphisms)
into C, each given by evaluation at a root of Φm :
X 7→ ω i for each i ∈ Z∗m .
I The canonical embedding σ of R into Cn is σ(a) = a(ω i )
i∈Z∗m
.
7 / 13
Canonical Geometry of R
I R = Z[X]/Φm (X) has n = ϕ(m) ring embeddings (homomorphisms)
into C, each given by evaluation at a root of Φm :
X 7→ ω i for each i ∈ Z∗m .
I The canonical embedding σ of R into Cn is σ(a) = a(ω i )
i∈Z∗m
.
I Define all geometric quantities using σ (not coefficient vectors!!).
E.g., kak2 := kσ(a)k2 .
7 / 13
Canonical Geometry of R
I R = Z[X]/Φm (X) has n = ϕ(m) ring embeddings (homomorphisms)
into C, each given by evaluation at a root of Φm :
X 7→ ω i for each i ∈ Z∗m .
I The canonical embedding σ of R into Cn is σ(a) = a(ω i )
i∈Z∗m
.
I Define all geometric quantities using σ (not coefficient vectors!!).
E.g., kak2 := kσ(a)k2 .
Nice Properties
4 Under σ, both + and · are coordinate-wise: σ(a · b) = σ(a) σ(b).
7 / 13
Canonical Geometry of R
I R = Z[X]/Φm (X) has n = ϕ(m) ring embeddings (homomorphisms)
into C, each given by evaluation at a root of Φm :
X 7→ ω i for each i ∈ Z∗m .
I The canonical embedding σ of R into Cn is σ(a) = a(ω i )
i∈Z∗m
.
I Define all geometric quantities using σ (not coefficient vectors!!).
E.g., kak2 := kσ(a)k2 .
Nice Properties
4 Under σ, both + and · are coordinate-wise: σ(a · b) = σ(a) σ(b).
This yields the “expansion” bound
ka · bk2 ≤ kak∞ · kbk2 ,
where kak∞ = max a(ω i ) .
i
7 / 13
Canonical Geometry of R
I R = Z[X]/Φm (X) has n = ϕ(m) ring embeddings (homomorphisms)
into C, each given by evaluation at a root of Φm :
X 7→ ω i for each i ∈ Z∗m .
I The canonical embedding σ of R into Cn is σ(a) = a(ω i )
i∈Z∗m
.
I Define all geometric quantities using σ (not coefficient vectors!!).
E.g., kak2 := kσ(a)k2 .
Nice Properties
4 Under σ, both + and · are coordinate-wise: σ(a · b) = σ(a) σ(b).
This yields the “expansion” bound
ka · bk2 ≤ kak∞ · kbk2 ,
where kak∞ = max a(ω i ) .
i
4 Expansion is element-specific. No more ring “expansion factor.”
7 / 13
Example 1
√
I 4th cyclotomic R = Z[X]/(1 + X 2 ): embeddings X 7→ ± −1
8 / 13
Example 1
√
I 4th cyclotomic R = Z[X]/(1 + X 2 ): embeddings X 7→ ± −1
√
σ(X) = (± −1)
σ(1) = (1, 1)
8 / 13
Example 1
√
I 4th cyclotomic R = Z[X]/(1 + X 2 ): embeddings X 7→ ± −1
√
σ(X) = (± −1)
σ(1) = (1, 1)
In Any 2k -th Cyclotomic. . .
4 For any j, kX j k2 =
√
n and kX j k∞ = 1.
8 / 13
Example 1
√
I 4th cyclotomic R = Z[X]/(1 + X 2 ): embeddings X 7→ ± −1
√
σ(X) = (± −1)
σ(1) = (1, 1)
In Any 2k -th Cyclotomic. . .
4 For any j, kX j k2 =
√
n and kX j k∞ = 1.
4 Power basis {1, X, . . . , X n−1 } is orthogonal under embedding σ.
√
So coefficient/canonical embeddings equivalent (up to n scaling).
8 / 13
Example 2
I 3rd cyclotomic R = Z[X]/(1 + X + X 2 ): embed X 7→ − 12 ±
√
−3
2
σ(1) = (1, 1)
σ(X) = (− 21 ±
√
−3
)
2
9 / 13
Example 2
I 3rd cyclotomic R = Z[X]/(1 + X + X 2 ): embed X 7→ − 12 ±
√
−3
2
σ(1) = (1, 1)
σ(X) = (− 21 ±
In Any Cyclotomic. . .
4 For any j, kX j k2 =
√
√
−3
)
2
n and kX j k∞ = 1.
9 / 13
Example 2
I 3rd cyclotomic R = Z[X]/(1 + X + X 2 ): embed X 7→ − 12 ±
√
−3
2
σ(1) = (1, 1)
σ(X) = (− 21 ±
In Any Cyclotomic. . .
4 For any j, kX j k2 =
√
√
−3
)
2
n and kX j k∞ = 1.
I Power basis {1, X, . . . , X n−1 } is not orthogonal (unless m = 2k ).
9 / 13
Example 2
I 3rd cyclotomic R = Z[X]/(1 + X + X 2 ): embed X 7→ − 12 ±
√
−3
2
σ(1) = (1, 1)
σ(X) = (− 21 ±
In Any Cyclotomic. . .
4 For any j, kX j k2 =
√
√
−3
)
2
n and kX j k∞ = 1.
I Power basis {1, X, . . . , X n−1 } is not orthogonal (unless m = 2k ).
I So in power basis, short elements can have long coeff vectors.
9 / 13
Example 2
I 3rd cyclotomic R = Z[X]/(1 + X + X 2 ): embed X 7→ − 12 ±
e
σ(X) = (− 21 ±
In Any Cyclotomic. . .
4 For any j, kX j k2 =
√
√
−3
2
σ(1) = (1, 1)
√
−3
)
2
n and kX j k∞ = 1.
I Power basis {1, X, . . . , X n−1 } is not orthogonal (unless m = 2k ).
I So in power basis, short elements can have long coeff vectors.
√
E.g., kek = k1k = kXk = n but e = 1 + X.
9 / 13
Duality and the Dual Ideal R∨
I Define trace function Tr : R → Z as Tr(a) =
P
i∈Z∗m
a(ω i ).
10 / 13
Duality and the Dual Ideal R∨
I Define trace function Tr : R → Z as Tr(a) =
P
i∈Z∗m
a(ω i ).
Tr(a · b) is (essentially) the “inner product” of embedded a, b:
X
Tr(a · b) =
a(ω i ) · b(ω i ) = hσ(a) , σ(b)i.
i
10 / 13
Duality and the Dual Ideal R∨
I Define trace function Tr : R → Z as Tr(a) =
P
i∈Z∗m
a(ω i ).
Tr(a · b) is (essentially) the “inner product” of embedded a, b:
X
Tr(a · b) =
a(ω i ) · b(ω i ) = hσ(a) , σ(b)i.
i
I Define R’s “dual” R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}.
R
R∨
X1
X0
d1
d0
10 / 13
Duality and the Dual Ideal R∨
I Define trace function Tr : R → Z as Tr(a) =
P
i∈Z∗m
a(ω i ).
Tr(a · b) is (essentially) the “inner product” of embedded a, b:
X
Tr(a · b) =
a(ω i ) · b(ω i ) = hσ(a) , σ(b)i.
i
I Define R’s “dual” R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}.
Has “decoding” Z-basis {dj 0 }, where Tr(X j · dj 0 ) = δj,j 0 .
R
R∨
X1
R
X0
d1
d0
10 / 13
Duality and the Dual Ideal R∨
I Define trace function Tr : R → Z as Tr(a) =
P
i∈Z∗m
a(ω i ).
Tr(a · b) is (essentially) the “inner product” of embedded a, b:
X
Tr(a · b) =
a(ω i ) · b(ω i ) = hσ(a) , σ(b)i.
i
I Define R’s “dual” R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}.
Has “decoding” Z-basis {dj 0 }, where Tr(X j · dj 0 ) = δj,j 0 .
R
R∨
d1
d0
R
X0
X1
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
R
R∨
X1
R
X0
d1
d0
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
Useful Facts
1
R∨ is an ideal: −a, a + b, a · r ∈ R∨ for all a, b ∈ R∨ , r ∈ R.
R
R∨
X1
R
X0
d1
d0
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
Useful Facts
1
2
R∨ is an ideal: −a, a + b, a · r ∈ R∨ for all a, b ∈ R∨ , r ∈ R.
√
For m = 2k (dim n = m/2): {X j } orthogonal and kX j k = n.
So dj = n1 X j and R∨ = n1 R. I.e., R and R∨ equivalent up to scale.
R
R∨
X1
R
X0
d1
d0
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
Useful Facts
1
2
R∨ is an ideal: −a, a + b, a · r ∈ R∨ for all a, b ∈ R∨ , r ∈ R.
√
For m = 2k (dim n = m/2): {X j } orthogonal and kX j k = n.
So dj = n1 X j and R∨ = n1 R. I.e., R and R∨ equivalent up to scale.
3
In general, mR∨ ⊆ R ⊆ R∨ , with mR∨ ≈ R.
R
R∨
d1
d0
R
X0
X1
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
Super-Useful Fact
4 If e ∈ R∨ is short, its Z-coeffs in decoding basis {dj } are small:
R
R∨
d1
d0
R
X0
X1
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
Super-Useful Fact
4 If e ∈ R∨ is short, its Z-coeffs in decoding basis {dj } are small:
X
√
e=
ej dj (ej ∈ Z) =⇒ ej = Tr(X j · e) ≤ kek · n.
j
R
R∨
d1
d0
R
X0
X1
10 / 13
Duality and the Dual Ideal R∨
I Dual R∨ := {d : Tr(a · d) ∈ Z, ∀ a ∈ R}. Basis: Tr(X j · dj 0 ) = δj,j 0 .
Super-Useful Fact
4 If e ∈ R∨ is short, its Z-coeffs in decoding basis {dj } are small:
X
√
e=
ej dj (ej ∈ Z) =⇒ ej = Tr(X j · e) ≤ kek · n.
j
√
(Better: Gaussian e w/std. dev. s ⇒ Gaussian ej w/std. dev. s n.)
R
R∨
d1
d0
R
X0
X1
10 / 13
Ring-LWE: The Complete Definition
Ring R := Z[X]/Φm (X) for any m,
[LPR’10]
Rq = R/qR, Rq∨ = R∨ /qR∨ .
11 / 13
Ring-LWE: The Complete Definition
Ring R := Z[X]/Φm (X) for any m,
[LPR’10]
Rq = R/qR, Rq∨ = R∨ /qR∨ .
I Problem: for s ← Rq∨ , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq∨
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq∨
11 / 13
Ring-LWE: The Complete Definition
Ring R := Z[X]/Φm (X) for any m,
[LPR’10]
Rq = R/qR, Rq∨ = R∨ /qR∨ .
I Problem: for s ← Rq∨ , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq∨
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq∨
I Errors e ∈ R∨ Gaussian (w/std. dev. αq) in canonical embedding.
√
So |e(ω i )| ≈ αq are independent∗ – but coeffs |ej | ≈ αq n are not!
11 / 13
Ring-LWE: The Complete Definition
Ring R := Z[X]/Φm (X) for any m,
[LPR’10]
Rq = R/qR, Rq∨ = R∨ /qR∨ .
I Problem: for s ← Rq∨ , distinguish {(ai , bi )} from uniform {(ai , bi )}.
a1 ← Rq
,
b1 = a1 · s + e1 ∈ Rq∨
a2 ← Rq
,
..
.
b2 = a2 · s + e2 ∈ Rq∨
I Errors e ∈ R∨ Gaussian (w/std. dev. αq) in canonical embedding.
√
So |e(ω i )| ≈ αq are independent∗ – but coeffs |ej | ≈ αq n are not!
Theorem
For any m, ring-LWE with error std. dev. αq ≥ 6∗
is (quantumly) as hard as
Õ(n/α)-SVP on any ideal lattice in R.
11 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
12 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
I Encs (m ∈ R2∨ ): choose Gaussian e ∈ R∨ s.t. e = m mod 2R∨ . Let
c1 ← Rq∨
and c0 = −c1 · s + e ∈ Rq∨
and output c(S) = c0 + c1 S ∈ Rq∨ [S].
(Note: c(s) = e mod qR∨ .)
12 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
I Encs (m ∈ R2∨ ): choose Gaussian e ∈ R∨ s.t. e = m mod 2R∨ . Let
c1 ← Rq∨
and c0 = −c1 · s + e ∈ Rq∨
and output c(S) = c0 + c1 S ∈ Rq∨ [S].
(Note: c(s) = e mod qR∨ .)
I Decs (c(S)): get short d ∈ R∨ s.t. d = c(s) mod qR∨ .
Correctness: d = e, if e’s decoding basis Z-coeffs ∈ (−q/2, q/2).
12 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
I Encs (m ∈ R2∨ ): choose Gaussian e ∈ R∨ s.t. e = m mod 2R∨ . Let
c1 ← Rq∨
and c0 = −c1 · s + e ∈ Rq∨
and output c(S) = c0 + c1 S ∈ Rq∨ [S].
(Note: c(s) = e mod qR∨ .)
I Decs (c(S)): get short d ∈ R∨ s.t. d = c(s) mod qR∨ .
Correctness: d = e, if e’s decoding basis Z-coeffs ∈ (−q/2, q/2).
I EvalMul(c, c0 ) = (c · c0 )(S) ∈ (R∨ )kq [S] where k = deg(c) + deg(c0 ).
12 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
I Encs (m ∈ R2∨ ): choose Gaussian e ∈ R∨ s.t. e = m mod 2R∨ . Let
c1 ← Rq∨
and c0 = −c1 · s + e ∈ Rq∨
and output c(S) = c0 + c1 S ∈ Rq∨ [S].
(Note: c(s) = e mod qR∨ .)
I Decs (c(S)): get short d ∈ R∨ s.t. d = c(s) mod qR∨ .
Correctness: d = e, if e’s decoding basis Z-coeffs ∈ (−q/2, q/2).
I EvalMul(c, c0 ) = (c · c0 )(S) ∈ (R∨ )kq [S] where k = deg(c) + deg(c0 ).
F
Noise e = e1 · · · ek ∈ (R∨ )k , so mk−1 e ∈ R∨ .
12 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
I Encs (m ∈ R2∨ ): choose Gaussian e ∈ R∨ s.t. e = m mod 2R∨ . Let
c1 ← Rq∨
and c0 = −c1 · s + e ∈ Rq∨
and output c(S) = c0 + c1 S ∈ Rq∨ [S].
(Note: c(s) = e mod qR∨ .)
I Decs (c(S)): get short d ∈ R∨ s.t. d = c(s) mod qR∨ .
Correctness: d = e, if e’s decoding basis Z-coeffs ∈ (−q/2, q/2).
I EvalMul(c, c0 ) = (c · c0 )(S) ∈ (R∨ )kq [S] where k = deg(c) + deg(c0 ).
F
Noise e = e1 · · · ek ∈ (R∨ )k , so mk−1 e ∈ R∨ .
F
Since kei k∞ ≈ αq = 6, mk−1 e has Gaussian std. dev. ≈ 6k mk−1 .
12 / 13
BV Homomorphic Encryption, Revisited
I Symmetric key s ← Rq .
I Encs (m ∈ R2∨ ): choose Gaussian e ∈ R∨ s.t. e = m mod 2R∨ . Let
c1 ← Rq∨
and c0 = −c1 · s + e ∈ Rq∨
and output c(S) = c0 + c1 S ∈ Rq∨ [S].
(Note: c(s) = e mod qR∨ .)
I Decs (c(S)): get short d ∈ R∨ s.t. d = c(s) mod qR∨ .
Correctness: d = e, if e’s decoding basis Z-coeffs ∈ (−q/2, q/2).
I EvalMul(c, c0 ) = (c · c0 )(S) ∈ (R∨ )kq [S] where k = deg(c) + deg(c0 ).
F
F
F
Noise e = e1 · · · ek ∈ (R∨ )k , so mk−1 e ∈ R∨ .
Since kei k∞ ≈ αq = 6, mk−1 e has Gaussian std. dev. ≈ 6k mk−1 .
√
So need q ≈ 6k mk−1 n < (6m)k to decrypt deg-k ciphertexts.
√
Versus q ≈ γ k−1 nk via expansion factor γ n.
⇒ ≈ γ k−1 factor improvement in error rate.
12 / 13
Conclusions
1
Using canonical geometry yields tight noise expansion, clean analysis
in all cyclotomics.
13 / 13
Conclusions
1
2
Using canonical geometry yields tight noise expansion, clean analysis
in all cyclotomics.
Using R∨ with the decoding basis yields smaller coefficients ⇒ larger
noise rates ⇒ smaller params/higher security.
13 / 13
Conclusions
1
2
3
Using canonical geometry yields tight noise expansion, clean analysis
in all cyclotomics.
Using R∨ with the decoding basis yields smaller coefficients ⇒ larger
noise rates ⇒ smaller params/higher security.
Using the tensor basis of
R∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
yields fast, modular algorithms for all cyclotomics.
13 / 13
Conclusions
1
2
3
Using canonical geometry yields tight noise expansion, clean analysis
in all cyclotomics.
Using R∨ with the decoding basis yields smaller coefficients ⇒ larger
noise rates ⇒ smaller params/higher security.
Using the tensor basis of
R∼
= Z[X1 , . . . , X` ]/(Φm1 (X1 ), . . . , Φm` (X` ))
yields fast, modular algorithms for all cyclotomics.
Thanks!
13 / 13
© Copyright 2026 Paperzz