]]>

Location Egham Salary £37,345 per annum – including London Allowance Closing Date Friday 05 April 2019 Interview Date To be confirmed Reference 0219-081 The postdoc will work alongside Dr. Martin Albrecht and other cryptographic researchers in the ISG on topics in lattice-based cryptography and related fields. One post is funded by a joint grant between Royal Holloway and Imperial College (Dr. Cong Ling) for bridging the gap between lattice-based cryptography and coding theory (starting date: 15 April or later). The second post is funded by an EPSRC grant on investigating the security of lattice-based and post-quantum cryptographic constructions (starting date: 1 June or later). Applicants with a strong background in all areas of cryptography are encouraged to apply.

Applicants should have already completed, or be close to completing, a PhD in a relevant discipline. Applicants should have an outstanding research track record in cryptography. Applicants should be able to demonstrate scientific creativity, research independence, and the ability to communicate their ideas effectively in written and verbal form.

The ISG is one of the largest departments dedicated to information security in the world with 21 core academic staff in the department, as well as research and support staff. We work with many research partners in other departments and have circa 90 PhD students working on a wide range of security research, many of whom are fully funded through our Centre for Doctoral Training in Cyber Security. We have a strong, vibrant, embedded and successful multi-disciplinary research profile spanning from cryptography to systems security and social aspects of security. This vibrant environment incorporates visiting researchers, weekly research seminars, weekly reading groups, PhD seminars and mini conferences, the WISDOM group (Women in the Security Domain Or Mathematics) and we are proud of our collegial atmosphere and approach.

If you require any further information please email: recruitment@rhul.ac.uk. Informal enquiries can be made to Martin Albrecht at martin.albrecht@rhul.ac.uk.

- Please quote the reference: 0219-081
- Closing Date: Midnight, 5 April 2019
- Interview Date: To be confirmed

]]>Fully Funded 4-year PhD Studentships at the EPSRC funded Royal Holloway Centre for Doctoral Training in Cyber Security for the Everyday

We are pleased to advertise positions for up to 10 PhD studentships to begin in September 2019 at the new Centre for Doctoral Training (CDT) in Cyber Security for the Everyday at Royal Holloway University of London.

We seek applications or informal expressions of interest from students and researchers with an interest in cyber security. In addition to Mathematics and Computer Science, relevant disciplines may include Human Geography, Sociology, Criminology, Law, Political Science, International Relations, Classics, Archaeology, Cultural Studies, Media Studies and more.

Building on two previous Centres for Doctoral Training in Cyber Security based at Royal Holloway, and anchored within the Information Security Group, the new CDT reflects the growth in and need for interdisciplinary research which critically engages with everyday cyber security questions. It does so by combining an understanding of technical systems with social science and humanities approaches to cyber security, personal information and growing datafication. In a broad sense, PhD projects will explore cyber security in the context of societal needs, critically evaluate the contribution cyber security makes to societal and individual securities and place discussions over the ethics, rights, responsibility and fairness of cyber security at the centre rather than at the periphery. Other academic departments involved in the Centre include Computer Science, Geography, Law, Psychology and Politics and IR.

Whilst broad in scope, the CDT is driven by two overarching strands of enquiry:

- The technologies deployed in digital systems that people use, sometimes inadvertently, every day; and
- Everyday societal experiences of cyber security, including how different societies, communities, groups and individuals conceptualise, materialise, negotiate, and respond to increasingly digitally mediated and technologically driven worlds
A central aspect of the CDT programme is interdisciplinary collaborations as students work on shared projects and other collaborative activities within their PhD cohort. This is encouraged throughout their studies but a key component of the first year, which is devoted to training activities and individual and group projects. Students may not have established project ideas at the time of recruitment but develop these during the first year.

The core strategic objectives of the CDT in Cyber Security for the Everyday are:

- To develop cohorts of truly multi-disciplinary researchers, with a broad understanding of cyber security and a strong appreciation of the interplay between technical and social questions;
- To promote research in cyber security that is original, significant, responsible, of international excellence and responsive to societal needs; and
- To engage with stakeholders in the cyber security community and wider society
We are keen to encourage applications from across the Social Sciences and Humanities. Potential areas of interdisciplinary study include but are not limited to:

Conceptualise

- The arts and critical discourses of cyber security
- Agenda-setting, framing and cyber security
- Feminist cyber security
- Social difference, intersectionality and cyber security
- Intimate spaces of cyber security (including the body, home, etc.)
- Everyday/routine violences and cyber security
- Solidarity and resistance and alternative forms of cyber security
- Narratives of security
- Ontological security across disciplines and forms of expression
Materialise

- Contemporary archaeologies of cyber security
- Cyber security and the city
- The materiality of digital mediation in cyber security
- Media as data
- Resistance through data, memes/gifs/films
- Simulation and simulated affect -emotional security data & machines
Negotiate

- Sustainable development goals and cyber security
- The impact of cyber security and public policy
- Territory, diplomacy and cyber security
- Regional and international cyber security
- Transnational and global governance of cyber security
- Cyber security of democratic institutions
- Cybersecurity at work
- Organisational approaches to and processes of cybersecurity
- Cybersecurity profession and professionals
- E-surveillance at work
Respond

- Mobilities, automated and autonomous mobility systems
- Resistance, dissent and cyber security
- Hate crimes and affect
- Cultural economies, crypto-currencies and piracy
- The dark web, visibility and invisibility
- Practices of data hacking in media consumption.

Location: Egham Salary: £39,479 to £41,743 per annum – including London Allowance Closing Date: Tuesday 12 March 2019 Interview Date: To be confirmed Reference: 0219-048 The Information Security Group at Royal Holloway University of London is seeking to recruit a postdoctoral research assistant (PDRA) to work in the area of cryptography. The position is available for immediate start, for up to 26 months (until 31 March 2021).

The PDRA will work alongside Prof. Carlos Cid, Dr. Martin Albrecht and other cryptographic researchers at Royal Holloway on topics connected to the design and analysis of cryptographic key exchange protocols that support incorporating key material from diverse sources. This post is part of the AQuaSec project, a Innovate UK-funded research project with 17 partners from industry and academia, aiming to develop technologies for quantum-safe communications by integrating post-quantum cryptography with techniques from quantum cryptography.

Applicants for this role should have already completed, or be close to completing, a PhD in a relevant discipline, with an outstanding research track record in cryptography. Applicants should be able to demonstrate scientific creativity, research independence, and the ability to communicate their ideas effectively in written and verbal form. Salary is £39,479 per annum, inclusive of London Allowance. This post is appointed at Grade 7, Spine point 34.

Established in 1990, the Information Security Group at Royal Holloway was one of the first dedicated academic groups in the world to conduct research and teaching in information security. The ISG is today a world-leading interdisciplinary research group with 20 full-time members of staff, several postdoctoral research assistants and over 50 PhD students working on a range of subjects in cyber security, in particular cryptography.

In return we offer a highly competitive rewards and benefits package including:

- Generous annual leave entitlement
- Training and Development opportunities
- Pension Scheme with generous employer contribution
- Various schemes including Cycle to Work, Season Ticket Loans and help with the cost of Eyesight testing.
- Free parking
- Competitive Maternity, Adoption and Shared Parental Leave provisions
The post is based in Egham, Surrey where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

To view further details of this post and to apply please visit https://jobs.royalholloway.ac.uk. For queries on the application process the Human Resources Department can be contacted by email at: recruitment@rhul.ac.uk. Informal enquiries can be made to Prof. Carlos Cid at carlos.cid@rhul.ac.uk.

Please quote the reference: 0219-048

Closing Date: Midnight, 12 March 2019

Interview Date: To be confirmed

**PS:** I will have two more postdoc positions, on lattice-based cryptography in the next few weeks/months.

Note that most of these positions are reserved for UK residents, which does, however, not mean nationality (see CDT website for details) and there might also be some wiggle room for EU residents.

]]>Royal Holloway is pleased to announce up to 10 fully-funded PhD studentships (four years of enhanced stipend and fees) in its EPSRC Centre for Doctoral Training in Cyber Security for the Everyday.

The CDT was first established in 2013, and has as its main objective to develop cohorts of multidisciplinary researchers with a broad understanding of cyber security and a strong appreciation of the interplay between technical and social issues.

Research in the CDT will address challenges concerning:

- the technologies deployed in digital systems that people use, sometimes inadvertently, every day;
- the everyday societal experience and practice of security.
The CDT is centred around Royal Holloway’s Information Security Group and partners with departments throughout the institution. We offer a collegiate and inclusive environment, exemplified by our award-winning WISDOM group, which supports female cyber-security staff and students.

CDT researchers follow a four-year PhD programme. The first year consists of comprehensive multidisciplinary cyber security training. The remaining three years focus on research in an advanced topic in the field of cyber security, including, but are not restricted to:

- Embedded technology security
- Secure and trusted systems
- Cryptography and its applications
- Trust, rights and understanding of cyber security
- Methodological innovation in researching cyber security
- Difference and inequalities in cyber security
We welcome applications from candidates with undergraduate and/or masters qualifications in a wide range of technical and social disciplines of relevance to cyber security.

For more information on course of study, entrance requirements, funding, application process, research priorities and existing CDT activities, see: https://www.royalholloway.ac.uk/research-and-teaching/departments-and-schools/information-security/studying-here/centre-for-doctoral-training-in-cyber-security/

The ISG is a nice place to work; it’s a very friendly environment with strong research going on in several areas. We got people working across the field of information security including several people working on cryptography. A postdoc here is a 100% research position, i.e. you wouldn’t have teaching duties. That said, if you’d like to gain some teaching experience, we can arrange for that as well.

Also, if you have e.g. a two-body problem and would like to discuss flexibility about being in the office, feel free to get in touch.

]]>

Location Egham Salary £36,654 per annum – including London Allowance Closing Date Monday 17 September 2018 Interview Date To be confirmed Reference 0818-334 The ISG is seeking to recruit a post-doctoral research assistant to work in the area of cryptography. The position is available now and will run until the end of 2021.

The PDRA will work alongside Dr. Martin Albrecht and other cryptographic researchers at Royal Holloway on topics in lattice-based cryptography. This post is part of the EU H2020 PROMETHEUS project (http://prometheuscrypt.gforge.inria.fr) for building privacy preserving systems from advanced lattice primitives. Our research focus within this project is on cryptanalysis and implementations, but applicants with a strong background in other areas such as protocol/primitive design are also encouraged to apply.

Applicants should have already completed, or be close to completing, a PhD in a relevant discipline. Applicants should have an outstanding research track record in cryptography. Applicants should be able to demonstrate scientific creativity, research independence, and the ability to communicate their ideas effectively in written and verbal form.

In return we offer a highly competitive rewards and benefits package including generous annual leave and training and development opportunities. This is a full time fixed term post is based in Egham, Surrey where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

Informal enquiries can be made to Martin Albrecht at martin.albrecht@royalholloway.ac.uk.

To view further details of this post and to apply please visit https://jobs.royalholloway.ac.uk/vacancy.aspx?ref=0818-334. For queries on the application process the Human Resources Department can be contacted by email at: recruitment@rhul.ac.uk.

Please quote the reference:

0818-334Closing Date:

Midnight, 17th September 2018Interview Date:

To be confirmed

(with a power of two^{1}) as the public key, where are both “small” and secret. To encrypt, Bob computes

where are small, is the message and some encoding function, e.g. . To decrypt, Alice computes

which is equal to . Finally, Alice recovers from the noisy encoding of where is the noise. In the Module-LWE variant the elements essentially live in , e.g. is not a polynomial but a vector of polynomials.

Thus, both encryption and decryption involve polynomial multiplication modulo . Using schoolbook multiplication this costs operations. However, when selecting parameters for Ring-LWE, we can choose which permits to use an NTT to realise this multiplication (we require to use the **negacyclic** NTT which has modular reductions modulo baked in). Then, using the NTT we can implement multiplication by

- evaluation (perform NTT),
- pointwise multiplication,
- interpolation (perform inverse NTT).

Steps (1) and (3) take operations by using specially chosen evaluation points (roots of one). Step (2) costs operations.

This is trick is very popular. For example, many (but not all!) Ring-LWE based schemes submitted to the NIST PQC ~~competition~~ process use it, namely NewHope, LIMA (go LIMA!), LAC, KCL, HILA5, R.EMBLEM, Ding Key-Exchange, CRYSTALS-KYBER, CRYSTALS-DILITHIUM (sorry, if I forgot one). Note that since steps (1) and (3) are the expensive steps, it makes sense to remain in the NTT domain (i.e. after applying the NTT) and only to convert back at the very end. For example, it is faster for Alice to store in NTT domain and, since the NTT maps uniform to uniform, to sample in NTT domain directly, i.e. to just assume that a random vector is already the output of an NTT on some other random vector.

This post is about two recent results I was involved in suggesting that this is not necessarily always the best choice (depending on your priorities.)

**Warning: This is going to be one of those clickbait-y pieces where the article doesn’t live up to the promise in the headline. The NTT is fine. Some of my best friends use the NTT. In fact I’ve implemented and used the NTT myself.**

In a recent work with Kenny Paterson and Amit Deo, we studied cold boot attacks on Ring-/Module-LWE-base cryptographic primitives. In a cold boot attack the attacker is assumed to have physical access to a machine shortly after a power down cycle, e.g. after kicking in the target’s door and seizing their computer. The attacker proceeds by extracting from memory a noisy version of a scheme’s secret key, where a small number of bits have been flipped. The attacker then recovers the key by applying bespoke error correction algorithms.

The performance of the attack depends on the performance of the bespoke error correction algorithm. First, consider Ring-/Module-LWE as described above. In this scenario, the attacker encounters , where represents the bit flips. Thus, the attacker has to solve the following problem:

i.e. a Ring-/Module-LWE instance with secret . Note that is sparse when considered as a bitstring. However, It is not, a priori, small when considered . Yet, since know that is small, we can simply ignore higher order bits of . Thus, in this setting is both sparse and small. In our paper, we estimate that solving this problem for Kyber-768 and a bit flip rate of roughly takes operations.

Now, let’s consider the case when is stored in the NTT domain. The attacker observes some Using that we can write an NTT application as a matrix multiplication with a full rank, structured matrix, we can write:

where is the matrix representation of the inverse negacyclic NTT. In our paper, we refer to recovering as the **cold boot NTT decoding problem**. On the one hand, this problem seems harder than the above problem: since lattice reduction finds small things, we’d rather have small when considered . However, in contrast to the scenario above, we cannot easily arrange for that. In our paper, we handle this by guessing the higher order bits of (of which there are few since is sparse as a bitstring). On the other hand, the problem is easier for two reasons. Firstly, in the Module-LWE setting and the NTT is applied to each component of individually. Thus, the dimension of the problem is only instead of .

Secondly, and more interestingly, is very structured. For example, consider , given a -th root of unity , we can write the **forward** negacyclic NTT in matrix form as

Adding the rows and for , we obtain as shown below which corresponds to the NTT matrix for scaled by :

Thus, we can “fold” our problem in dimension to a problem in dimension . However, note that I used the **forward** negacyclic NTT above instead of the inverse negacyclic NTT. The technical reason for this is that folding the inverse would introduce some scaling terms which do not map small things to small things. See paper for details.

We can now solve the problem by recursively folding our problem down to a manageable dimension, each time adding up two components of to produce a new shorter vector . Thus, we cannot fold “all the way down” as we would end up with a vector that isn’t sparse any more. In our paper we fold down to where we then apply a combination of guessing bits and lattice point enumeration. For Kyber-768 we estimate this to cost operations for the same bit flip rate as above.

On the other hand, this trick doesn’t work so well when considering NewHope instead of Kyber. The chief difference between the two is that in the case of Module-LWE (i.e. Kyber) we get a reduction in dimension by a factor for free, but we do not get this advantage in the Ring-LWE setting (i.e. NewHope). For NewHope and the parameters we looked at, the attack performs roughly the same in the NTT and non-NTT domain. It is also worth mentioning, our work is a bit of a near-miss: If we didn’t have to decode the **negacyclic** NTT but only a plain NTT, then we would preserve sparsity of while folding (since we’d add components of to each other instead of components of ). I’m mentioning this here to flag that we might have missed some neat trick to do the same for the negacyclic case. Also, let me mention that our paper comes with Sage code to play with.

Now, to relate this to my lurid headline. Clearly, under our attacks, using the NTT or not makes no difference for Ring-LWE. For Module-LWE, though, we do get better attacks under the NTT. However, this doesn’t mean we have to drop the NTT when cold boot attacks are a concern. Simply storing the key not in NTT domain would be sufficient.

The second work I want to discuss is co-authored with Christian Hanser, Andrea Hoeller, Thomas Pöppelmann, Andreas Wallner (all Infineon) and Fernando Virdia. In this work we implemented Kyber-768 on a smart card. Specifically, the kind of smart card found in e.g. German passports. So, NetBSD runs on a toaster, lattice-based cryptography runs on a passport. These sort of smart cards come equipped with a cryptographic co-processor (or several of them), most importantly with a co-processor for speeding up RSA. Note that the main CPU doesn’t even have a hardware word-sized integer multiplier. At the end of the day, to run RSA you need to be able to compute for integers of bits (or larger, but these cards are limited to roughly 2000 bits). Thus, these RSA co-processors are essentially modular integer multipliers. Now, to make use of these facilities, we can apply Kronecker substitution.

Kronecker substitution is a classical technique in computer algebra for reducing polynomial arithmetic to large integer arithmetic. The fundamental idea behind this technique is that univariate polynomial and integer arithmetic are identical except for carry propagation in the latter. Thus, coefficients are simply packed into an integer in such a way as to terminate any possible carry chain. For example, say, we want to multiply two polynomials with in . We may write and . Multiplying gives or . In implementations, we use powers of two as evaluation points since this permits efficient “packing” (polynomial to integer) and “unpacking” (integer to polynomial) using only cheap bit shifts.

Thus, at a high-level, our implementation realises polynomial multiplication using Kronecker substitution instead of the NTT. In reality everything is a bit more messy. Firstly, just applying this strategy would produce integers of more than bits which wouldn’t fit into our hardware multiplier. We address this by firstly applying the KS2 algorithm of David Harvey.

The KS2 algorithm proceeds as follows. Assume are such that their product has positive coefficients bounded by . Let

Then, we can recover the even coefficients of from

and the odd coefficients from

since the sum and the difference cancel out either the even or the odd powers. The coefficients can be either read directly with care to their offset, or dividing the above quantities by the appropriate power of over the integers.

However, this still does not produce integers that fit into our multiplier. Thus, secondly, on top of these integer multiplications we perform (low-degree) polynomial multiplication (Karatsuba or schoolbook), essentially splitting up our problem into several 2000 bit-sized problems.

Thirdly, naively we would only load 1000 bit integers into our multiplier to ensure that the product is at most 2000 bits. However, it turns out we can merge (some of) the modular reductions modulo into the integer multiplication by computing modulo . That is, we can exploit that RSA co-processors are modular multipliers which in turn permits us the full 2000 bits of our multiplier. This is somewhat analogous to using the negacyclic instead of the normal NTT, where the former has the modular reductions modulo baked in.

Overall, this allows us to execute CCA-secure Kyber-768 key generation in 79.6 ms, encapsulation in 102.4 ms and decapsulation in 132.7 ms. Well, we do not actually implement Kyber as specified. Firstly, Kyber specifies SHA-3 but our smart card has a SHA-2 co-processor. Thus, we replace SHA-3 with SHA-2. Secondly, Kyber assumes that the output of its random polynomial generator is in the NTT domain. That is, when sampling the vector the specification assumes that is already the output of applying the NTT. This saves on NTT applications since arithmetic in the reference implementation is done using the NTT. However, the whole point our implementation is to replace the NTT by the hardware integer multiplier. To be compliant, we would thus have to apply an inverse NTT on before using in our multiplication route. This extra call to a software NTT (recall that we don’t even have a word-sized integer multiplier on the CPU) would kill all the performance gains obtained by making use of the RSA co-processing, which is why we do not do it.

So, to finally make good on that headline, there are platforms where you do not want to implement an NTT and “hardcoding” an NTT in the specification of scheme leads to performance losses on those platforms. Thus, insofar you care about such platforms, you may want to avoid the NTT. On the other hand, as smart card land is moving towards stronger CPUs, e.g. those having one of those fancy single-cycle word-sized integer multipliers, perhaps these considerations become less important.

Finally, let me mention that this paper, too, comes with Sage code to play with.

Alternatively, we can also consider for a prime, as in e.g. LIMA-2p.

]]>Welcome to the EPSRC Centre for Doctoral Training (CDT) in Cyber Security at Royal Holloway. The Centre was established in 2013, and has as its main objective to produce cohorts of highly-trained researchers with a broad understanding of cyber security.

The CDT is hosted by the Information Security Group (ISG), and provides multidisciplinary training to annual cohorts of around ten students each. The students follow a 4-year doctoral programme: the first phase consists of a taught component comprising 25 per cent of the programme. The remaining three years follow the more traditional path of doctoral studies, with each student undertaking research in an advanced topic in the field of cyber security. See the CDT Course of Study page for more information about the programme.

CDT recruitment typically runs from November to April, to select students for the CDT cohort to start the following September. Selected applicants are awarded fully-funded PhD studentships (stipend and College fees) for four years. We consider applications from candidates with undergraduate and masters qualifications in a wide range of disciplines, including, but not limited to, mathematics, computer science, and electrical and electronic engineering.

We are now open to receive applications for students to start their PhD studies in September 2018.Please explore the links below to learn more about the entry requirements, funding and eligibility, and how to apply to Royal Holloway’s CDT in Cyber Security.

]]>

LocationEgham Salary£36,654 per annum – including London Allowance Closing DateSunday 10 December 2017 Interview DateTo be confirmed Reference0817-306-R As a result of a collaboration between L3 TRL Technology and Royal Holloway, University of London, applications are invited for a postdoctoral research assistant position in the Information Security Group (ISG) at Royal Holloway to work in the area of post-quantum cryptography.

Post-Quantum (PQ) cryptography refers to cryptographic algorithms and schemes that are expected to be resistant to cryptanalytic attacks based on quantum computers. Examples include lattice-based encryption and signature schemes, code-based public-key cryptosystems, Multivariate Quadratic (MQ) cryptosystems, and hash-based digital signature schemes. The goal of this industry-funded two-year project is to investigate and propose novel methods and techniques for hardware implementation of popular and promising post-quantum cryptographic schemes.

The post is based in the Information Security Group at Royal Holloway’s main campus in Egham, Surrey, within commuting distance from London. The successful applicant will work with Prof Carlos Cid, Dr Martin Albrecht and other members of the ISG, in the research of efficient and secure hardware implementations of post-quantum cryptographic schemes. An initial focus will be on the FPGA implementation aspects of lattice-based key exchange schemes (e.g. RLWE schemes and variants) and code-based key exchange schemes (e.g. McEliese cryptosystem and variants). They will consider the specific mathematical structure and features of these schemes, and will investigate the most suitable algorithmic and parameter choices for FPGA implementations. Moreover, potential trade-offs involving implementation costs, speed and scalability will be evaluated, considering for example the deployment in particular environments.

We are looking for a candidate with a PhD degree in a relevant subject and strong background and experience in FPGA implementation, ideally of cryptographic algorithms. The post will last for two years and the ideal candidate should be able to start as soon as possible.

Established in 1990, the Information Security Group at Royal Holloway was one of the first dedicated academic groups in the world to conduct research and teaching in information security. The ISG is today a world-leading interdisciplinary research group with 20 full-time members of staff, 10 post-doctoral research assistants and over 50 PhD students working on a range of subjects in cyber security, in particular cryptography.

For an informal discussion about the post, please contact Prof Carlos Cid on carlos.cid@rhul.ac.uk or +44 (0)1784 414685.

To view further details of this post and to apply please visit https://jobs.royalholloway.ac.uk. For queries on the application process the Human Resources Department can be contacted by email at: recruitment@rhul.ac.uk.

Please quote the reference:

0817-306-RClosing Date:

Midnight, 10 December 2017Interview Date:

To be confirmed

We present a reduction from the module learning with errors problem (MLWE) in dimension and with modulus to the ring learning with errors problem (RLWE) with modulus . Our reduction increases the LWE error rate by a quadratic factor in the ring dimension and a square root in the module rank for power-of-two cyclotomics. Since, on the other hand, MLWE is at least as hard as RLWE, we conclude that the two problems are polynomial-time equivalent. As a corollary, we obtain that the RLWE instance described above is equivalent to solving lattice problems on

modulelattices. We also present a self reduction for RLWE in power-of-two cyclotomic rings that halves the dimension and squares the modulus while increasing the error rate by a similar factor as our MLWE to RLWE reduction. Our results suggest that when discussing hardness to drop the RLWE/MLWE distinction in favour of distinguishing problems by the module rank required to solve them.

Our reduction is an application of the main result from Classical Hardness of Learning with Errors in the context of MLWE. In its simplest form, that reduction proceeds from the observation that for with small it holds that

Thus, if there exists an efficient algorithm solving the problem in , we can use it to solve the problem in .

In our paper, we essentially show that we can replace integers mod resp. with the ring of integers of a Cyclotomic field (considered mod resp. ). That is, we get the analogous reduction from (MLWE) to (RLWE). The bulk of our paper is concerned with making sure that the resulting error distribution is sound. This part differs from the *Classical Hardness* paper since our target distribution is in rather than .

Since the Module-LWE problem has been suggested (e.g. here) to hedge against algebraic attacks on Ring-LWE, a natural question is how to interpret this reduction. One might be tempted to conclude that the suggestion is simply wrong. That is, looked at in abstraction from the size of the modulus (for a constant error rate ), Module-LWE seems no more secure than Ring-LWE and thus a poor hedging strategy.

However, this abstraction from the size of the modulus is misleading (hat tip to our anonymous referees and Léo Ducas). If there exists an efficient algorithm that solves Ring-LWE for a fixed error rate but *any* modulus, then this algorithm can also be used solve any LWE instance. This was already remarked in the *Classical Hardness* paper and we give a sketch in Appendix B of our paper: convert LWE to a 1-dimensional instance with exponential modulus and then construct an RLWE instance from this 1-dimensional instance. Such an adversary might exist, i.e. we cannot in principle rule out that LWE might be easy, but it will not be an adversary exploiting the special algebraic structure of Ring-LWE since LWE has none of that.

Furthermore, consider the dual attack on plain LWE using a set of samples . In order to perform this attack, a short vector in the -dimensional dual lattice to the lattice formed by the must be found. This dual lattice has volume whp. Using the Gaussian heuristic, the shortest vector in such a lattice is expected to have length . The attack proceeds by noticing that the inner-product should be small in the case of LWE samples and uniform otherwise. In particular, the smaller , the more certain we are that the samples were in fact from an LWE distribution. Concretely, for a fixed error rate , we have in the case where the modulus is . On the other hand, if the modulus is , we expect which is larger for fixed . Therefore, the performance of the dual attack diminishes for growing . Indeed, our output RLWE instance in modulus has noise of size at least . Thus, our RLWE output instances *cannot* be solved by finding short vectors in lattices of module rank 2 ( in the above notation) using standard dual attacks in contrast to typical RLWE instances used in the literature. In other words: “Our results suggest that when discussing hardness to drop the RLWE/MLWE distinction in favour of distinguishing problems by the module rank required to solve them.”

As alluded to above, large modulus RLWE instances are not very popular in cryptographic constructions. A reason for this is that they tend not to work very well in those constructions. Recall, for example, the simple public-key encryption scheme from the original RLWE paper which serves as the blueprint for many subsequent constructions. The scheme publishes a public-key , where both and are small elements from the ring of integers of a power-of-two Cyclotomic field. Encryption of some polynomial with coefficients is then performed by sampling short and outputting:

The decryption algorithm computes

Let be the norm of . Clearly, the final message will have noise of norm . Thus, to ensure correct decryption, has a quadratic dependency on . As a consequence, in this construction, increasing and can only *reduce* security by increasing the gap between noise and modulus.

However, this issue can be avoided (and is avoided when basing the construction on the MLWE assumption) by picking some at the cost of publishing more samples in the public key. For example, if the public key becomes

where have norm . Encryption of some polynomial is then performed by sampling short with norm and outputting

The decryption algorithm computes

The security of the public key reduces to the hardness of RLWE in dimension with modulus and noise size as before. The security of encryptions reduces to the hardness of MLWE in dimension over ring dimension , modulus and noise size , i.e. the level of security is maintained for by increasing the dimension. While we still require , the size of can be reduced at the cost of increasing .

Finally, we may think of Regev’s original encryption scheme as one extreme corner of this design space (for LWE) with , where are binary and where . That is, in the construction above, we can replace the Module-LWE assumption by the leftover hash lemma if is sufficiently big. Of course, this comes at the cost of a significant increase in the size of the public key. On the other hand, we would now only require .

Reducing the Learning with Errors problem (LWE) to the Unique-SVP problem and then applying lattice reduction is a commonly relied-upon strategy for estimating the cost of solving LWE-based constructions. In the literature, two different conditions are formulated under which this strategy is successful. One, widely used, going back to Gama & Nguyen’s work on predicting lattice reduction (Eurocrypt 2008) and the other recently outlined by Alkim et al. (USENIX 2016). Since these two estimates predict significantly different costs for solving LWE parameter sets from the literature, we revisit the Unique-SVP strategy. We present empirical evidence from lattice-reduction experiments exhibiting a behaviour in line with the latter estimate. However, we also observe that in some situations lattice-reduction behaves somewhat better than expected from Alkim et al.’s work and explain this behaviour under standard assumptions. Finally, we show that the security estimates of some LWE-based constructions from the literature need to be revised and give refined expected solving costs.

Our work is essentially concerned with spelling out in more detail and experimentally verifying a prediction made in the New Hope paper on when lattice reduction successfully recovers an unusually short vector.

Denoting by the unusually short vector in some lattice of dimension (say, derived from some LWE instance using Kannan’s embedding), the block size used for the BKZ algorithm and the root-Hermite factor for , then the New Hope paper predicts that can be found if

under the assumption that the Geometric Series Assumption holds (until a projection of the unusually short vector is found).

The rationale is that this condition ensures that the projection of orthogonally to the first (Gram-Schmidt) vectors (denoted as ) is shorter than the expectation for the -th Gram-Schmidt vector under the GSA and thus would be found by the SVP oracle when called on the last block of size . Hence, for any satisfying the above inequality, the actual behaviour would deviate from that predicted by the GSA. Finally, the argument can be completed by appealing to the intuition that a deviation from expected behaviour on random instances — such as the GSA — leads to a revelation of the underlying structural, secret information. In any event, such a deviation would already solve Decision-LWE.

In our work, we spell out this argument in more detail (e.g. how is recovered from ) and throw 23k core hours at the problem of checking if the predicted behaviour, e.g.

matches the observed behaviour, e.g.

Just like for the above plots, the general answer is a clear “yes”.

I forgot the most important bit. The behaviour of the BKZ algorithm on uSVP(-BDD) instances can be observed in this video.

You can observe the basis approaching the GSA until the SVP oracle finds the unusually short vector . From , is then immediately recovered using size reduction. The grey area is the currently worked on block. The notation in the legend isn’t consistent with the plots above or even internally ( v ), but the general idea should still be apparent. In case you’re wondering about the erratic behaviour of the tails (which occasionally goes all over the place), this is due to a bug in fpylll which has recently been fixed.