Date of Award

2024

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Mathematics

First Advisor

Christelle Vincent

Second Advisor

Carmen Petrick Smith

Abstract

Over the last twenty years, lattice-based cryptosystems have gained interest due to their levelof security against attacks from quantum computers. The main cryptosystems are based on the hardness of Ring Learning with Errors (RLWE). The Learning with Errors (LWE) problems were first introduced in 2005 by Regev [Reg09] and in 2010, [LPR10] developed the Ring Learning with Errors (RLWE) problems as candidates for safe encryption against quantum computers. Let K be a number field with ring of integers OK. For a prime q, the RLWE problems rely on samples of the form (a, b) ∈ OK/qOK × OK/qOK where a is drawn uniformly at random and b = as + e where s ∈ OK/qOK is called the secret and e is a small error term drawn from a Gaussian distribution. Since the introduction of RLWE, attacks for solving the search and decision problems have been developed to exploit vulnerabilities of underlying number fields (mostly 2-power cyclotomic fields). An area which has been studied less rigorously is on the bounds of the security parameters to ensure safety from attack. We aim to study the security parameters for the Chi-Squared Attack from [CLS17a, CLS17b] which attempt to solve the non-dual RLWE decision problem. After testing the parameters suggested in the current literature ([CLS17b, Pei16b]), we suggest that we can find tighter bounds that rely on the norm of the prime q ⊂ OK and the standard deviation σ of the Gaussian distribution from which the error terms are drawn. Another area of interest involves the ways in which the error terms are sampled and how to control its growth in size. This is of particular interest for the Polynomial Ring Learning with Errors (PLWE) problems because sampling the error coefficients require that we sample from a monogenic ring. In short, the process of sampling the error terms amounts to choosing a “small” vector in OK and then reducing it modulo a prime q. The PLWE problem is not typically defined for non-monogenic number fields. However, for f(x) ∈ Z[x] a monic irreducible polynomial of degree n, the Dedekind-Kummer Theorem tells us that while P = Z[x]/⟨f(x)⟩ is not isomorphic to OK in most cases, OK/(q) ∼= Fq[x]/⟨f(x)⟩ when q does not divide the index of P in OK. Our work studies, first, the possibility of sampling “small” error vectors in Fq[x]/⟨f(x)⟩ directly. This approach was not promising. Our second approach uses coset representatives. Suppose [OK : Z[α]] = m > 1 for a root α ∈ K of a minimal polynomial f. Let β1, . . . , βm be coset representatives of OK/Z[α]. Suppose we sample p(α) ∈ P according to PLWE and sample βi uniformly at random. Output p(α)+βi ∈ OK. Calculating the statistical distance between this PLWE sampling algorithm and the RLWE sampling algorithm, we hope to expand the PLWE sampling to a wider class of rings of integers.

Language

en

Number of Pages

93 p.

Included in

Mathematics Commons

Share

COinS