Join Log in
Score:1
S. M. avatar Crypto

Can you instantiate Ring-LWE with coefficients from a prime-power field?

ve flag
S. M.

Generally, we instantiate Ring-LWE with the polynomial ring $R = \mathbb{F}_q\ /\ (X^N+1)$ for prime $q$ and some power-of-two $N$.

Can we instead do Ring-LWE over the ring $R = \mathbb{F}_q\ /\ (X^N+1)$, where $q$ can be any prime power? Basically, this would mean the coefficients of ciphertexts are elements of $GF(q)$.

(Also, is this an unusual choice, or covered by existing literature that I'm not aware of?)

61
1 + 2
fgrieu avatar
ng flag
fgrieu
I think that the first sentence is to be read: _Generally, we instantiate Ring-LWE with the polynomial ring $R=\mathbb F_q[X]\,/\,(X^N+1)$ for prime $q$ and some power-of-two $N$._
0
Reply
S. M. avatar
ve flag
S. M.
Yes, I edited it, thank you!
0
Reply
Score:1
user479610 avatar Crypto
so flag
user479610

Yes, it is possible to instantiate Ring-LWE with the polynomial ring R=F_q/ (X_N+1), where q is a prime power and N is a power-of-two. in this case, Ring-LWE is known as "Finite Field Ring-LWE" or "FF-Ring-LWE".

In FF-Ring-LWE, the coefficients of the ciphertexts are elements of the finite field GF(q), which is the field of order q. The arithmetic operations in GF(q) are similar to those in Zq, but with some differences due to the fact that GF(q) is a field rather than a ring.

However, the choice of q can have an impact on the security of the scheme. In particular, if q is too small, then the scheme may be vulnerable to certain attacks, such as lattice reduction algorithms. On the other hand, if q is too large, then the scheme may be less efficient and require larger key sizes.

+ 6
S. M. avatar
ve flag
S. M.
I can't find any references to 'FF-Ring-LWE' or 'Finite Field Ring-LWE' on Google Scholar...
0
Reply
Mark avatar
ng flag
Mark
It's not called that, because the choice of $q$ doesn't impact the security of schemes except via the quantity $\log q$.
0
Reply
S. M. avatar
ve flag
S. M.
But these schemes use $\mathbb{Z}_q$, *not* $\mathbb{F}_q$ for prime-power q. These are different things (the first isn't even a field!)
0
Reply
Mark avatar
ng flag
Mark
In that case, don't you have that $\mathbb{F}_q\cong \mathbb{Z}_p[x](f(x))$ for $f = \deg e$, and $\mathbb{Z}_q[y]/(g(y))\cong \mathbb{Z}_p[x,y]/(f(x),g(y))$? I.e. it appears you are asking about the security of a bivariate form of RLWE with small modulus.
0
Reply
Mark avatar
ng flag
Mark
Note that if this interpretation is correct, you should be careful. Bivariate RLWE has some known security issues. In particular, you might hope that its security corresponds to univariate RLWE of degree $\deg f\cdot \deg g$. This is not always the case, see [On the security of multivariate RLWE](https://msp.org/obs/2020/4/p05.xhtml). The net effect is you might have to choose $p$ large enough that RLWE in $\mathbb{Z}_p[y]/(g(y))$ is still hard, i.e. negating the benefit of choosing the larger modulus $q = p^e$.
0
Reply
Mark avatar
ng flag
Mark
Note that there is no such issue if you simply work over $\mathbb{Z}/p^e\mathbb{Z}$ instead.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.