Breaking the power-of-two barrier: noise estimation for BGV in NTT-friendly rings

IF 1.4 2区数学 Q3 COMPUTER SCIENCE, THEORY & METHODS

Designs, Codes and Cryptography Pub Date : 2024-11-15 DOI:10.1007/s10623-024-01524-5

Andrea Di Giusto, Chiara Marcolla

{"title":"Breaking the power-of-two barrier: noise estimation for BGV in NTT-friendly rings","authors":"Andrea Di Giusto, Chiara Marcolla","doi":"10.1007/s10623-024-01524-5","DOIUrl":null,"url":null,"abstract":"The Brakerski–Gentry–Vaikuntanathan (BGV) scheme is a Fully Homomorphic Encryption (FHE) cryptosystem based on the Ring Learning With Error (RLWE) problem. Ciphertexts in this scheme contain an error term that grows with operations and causes decryption failure when it surpasses a certain threshold. Consequently, the parameters of BGV need to be estimated carefully, with a trade-off between security and error margin. The ciphertext space of BGV is the ring \\(\\mathcal {R}_q=\\mathbb {Z}_q[x]/(\\Phi _m(x))\\), where usually the degree n of the cyclotomic polynomial \\(\\Phi _m(x)\\) is chosen as a power of two for efficiency reasons. However, the jump between two consecutive powers-of-two polynomials also causes a jump in security, resulting in parameters that are much bigger than what is needed. In this work, we explore the non-power-of-two instantiations of BGV. Although our theoretical research encompasses results applicable to any cyclotomic ring, the focus of our investigation is the case of \\({m=2^s\\cdot 3^t}\\) where \\(s,t\\ge 1\\), i.e., cyclotomic polynomials with degree \\({n=\\phi (m)=2^s\\cdot 3^{t-1}}\\). We provide a thorough analysis of the noise growth in this new setting using the canonical norm and compare our results with the power-of-two case considering practical aspects like NTT algorithms. We find that in many instances, the parameter estimation process yields better results for the non-power-of-two setting.","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"38 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2024-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Designs, Codes and Cryptography","FirstCategoryId":"100","ListUrlMain":"https://doi.org/10.1007/s10623-024-01524-5","RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

The Brakerski–Gentry–Vaikuntanathan (BGV) scheme is a Fully Homomorphic Encryption (FHE) cryptosystem based on the Ring Learning With Error (RLWE) problem. Ciphertexts in this scheme contain an error term that grows with operations and causes decryption failure when it surpasses a certain threshold. Consequently, the parameters of BGV need to be estimated carefully, with a trade-off between security and error margin. The ciphertext space of BGV is the ring \(\mathcal {R}_q=\mathbb {Z}_q[x]/(\Phi _m(x))\), where usually the degree n of the cyclotomic polynomial \(\Phi _m(x)\) is chosen as a power of two for efficiency reasons. However, the jump between two consecutive powers-of-two polynomials also causes a jump in security, resulting in parameters that are much bigger than what is needed. In this work, we explore the non-power-of-two instantiations of BGV. Although our theoretical research encompasses results applicable to any cyclotomic ring, the focus of our investigation is the case of \({m=2^s\cdot 3^t}\) where \(s,t\ge 1\), i.e., cyclotomic polynomials with degree \({n=\phi (m)=2^s\cdot 3^{t-1}}\). We provide a thorough analysis of the noise growth in this new setting using the canonical norm and compare our results with the power-of-two case considering practical aspects like NTT algorithms. We find that in many instances, the parameter estimation process yields better results for the non-power-of-two setting.

查看原文本刊更多论文

突破二重幂障碍：在 NTT 友好环中对 BGV 进行噪声估计

Brakerski-Gentry-Vaikuntanathan（BGV）方案是一种基于带误差环学习（RLWE）问题的全同态加密（FHE）密码系统。该方案中的密文包含一个误差项，该误差项随运算量增长，当超过一定阈值时就会导致解密失败。因此，需要仔细估算 BGV 的参数，并在安全性和误差率之间做出权衡。BGV 的密文空间是环（\mathcal {R}_q=\mathbb {Z}_q[x]/(\Phi _m(x))\），通常出于效率考虑，循环多项式 \(\Phi _m(x)\)的度数 n 选为 2 的幂。然而，两个连续的二幂多项式之间的跳跃也会导致安全性的跳跃，从而导致参数远远大于所需的参数。在这项工作中，我们探索了 BGV 的非二幂实例。虽然我们的理论研究涵盖了适用于任何循环环的结果，但我们研究的重点是 \({m=2^s\cdot 3^t}\) where \(s,t\ge 1\) 的情况，即具有度 \({n=\phi (m)=2^s\cdot 3^{t-1}}\) 的循环多项式。我们使用规范对这一新环境下的噪声增长进行了深入分析，并将我们的结果与考虑到 NTT 算法等实际问题的二幂情况进行了比较。我们发现，在许多情况下，参数估计过程在非二幂设置下会产生更好的结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Designs, Codes and Cryptography 工程技术-计算机：理论方法

CiteScore

2.80

自引率

12.50%

发文量

157

审稿时长

16.5 months

期刊介绍： Designs, Codes and Cryptography is an archival peer-reviewed technical journal publishing original research papers in the designated areas. There is a great deal of activity in design theory, coding theory and cryptography, including a substantial amount of research which brings together more than one of the subjects. While many journals exist for each of the individual areas, few encourage the interaction of the disciplines. The journal was founded to meet the needs of mathematicians, engineers and computer scientists working in these areas, whose interests extend beyond the bounds of any one of the individual disciplines. The journal provides a forum for high quality research in its three areas, with papers touching more than one of the areas especially welcome. The journal also considers high quality submissions in the closely related areas of finite fields and finite geometries, which provide important tools for both the construction and the actual application of designs, codes and cryptographic systems. In particular, it includes (mostly theoretical) papers on computational aspects of finite fields. It also considers topics in sequence design, which frequently admit equivalent formulations in the journal’s main areas. Designs, Codes and Cryptography is mathematically oriented, emphasizing the algebraic and geometric aspects of the areas it covers. The journal considers high quality papers of both a theoretical and a practical nature, provided they contain a substantial amount of mathematics.