Ring learning with errors signature: Difference between revisions
Carvalho1988 (talk | contribs) Referenced sentences that may look like editor opinions |
Carvalho1988 (talk | contribs) Added more references to statements made in lead and background sections |
||
Line 1: | Line 1: | ||
{{essay-like|date=July 2015}} |
{{essay-like|date=July 2015}} |
||
{{technical|date=July 2015}} |
{{technical|date=July 2015}} |
||
[[Digital signature|Digital Signatures]] are a means to protect [[Digital data|digital information]] from intentional modification and to authenticate the source of digital information. [[Public key cryptography]] provides a rich set of different cryptographic algorithms the create digital signatures. However, all of the public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized [[quantum computer]].<ref name=":2">{{Cite web|title = ETSI - Quantum-Safe Cryptography|url = http://www.etsi.org/technologies-clusters/technologies/quantum-safe-cryptography|website = ETSI|accessdate = 2015-07-05|first = Sabine|last = Dahmen-Lhuissier}}</ref><ref name=":3">{{Cite journal|title = Shor's Algorithm|url = https://en.wikipedia.org/wiki/Shor%2527s_algorithm|language = en}}</ref> New digital signature algorithms such as the Ring [[learning with errors]] signature ('''RLWE-SIG''') described in this article are examples of a new class of [[Quantum Safe Cryptography|Quantum Safe]] cryptographic algorithms designed to resist cryptanalytic attacks run on a [[Quantum computing|quantum computer]].<ref>{{Cite journal|title = Post-quantum key exchange for the TLS protocol from the ring learning with errors problem|url = http://eprint.iacr.org/2014/599|date = 2014|first = Joppe W.|last = Bos|first2 = Craig|last2 = Costello|first3 = Michael|last3 = Naehrig|first4 = Douglas|last4 = Stebila}}</ref> |
[[Digital signature|Digital Signatures]] are a means to protect [[Digital data|digital information]] from intentional modification and to authenticate the source of digital information. [[Public key cryptography]] provides a rich set of different cryptographic algorithms the create digital signatures. However, all of the public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized [[quantum computer]].<ref name=":2">{{Cite web|title = ETSI - Quantum-Safe Cryptography|url = http://www.etsi.org/technologies-clusters/technologies/quantum-safe-cryptography|website = ETSI|accessdate = 2015-07-05|first = Sabine|last = Dahmen-Lhuissier}}</ref><ref name=":3">{{Cite journal|title = Shor's Algorithm|url = https://en.wikipedia.org/wiki/Shor%2527s_algorithm|language = en}}</ref> New digital signature algorithms such as the Ring [[learning with errors]] signature ('''RLWE-SIG''') described in this article are examples of a new class of [[Quantum Safe Cryptography|Quantum Safe]] cryptographic algorithms designed to resist cryptanalytic attacks run on a [[Quantum computing|quantum computer]].<ref>{{Cite journal|title = Post-quantum key exchange for the TLS protocol from the ring learning with errors problem|url = http://eprint.iacr.org/2014/599|date = 2014|first = Joppe W.|last = Bos|first2 = Craig|last2 = Costello|first3 = Michael|last3 = Naehrig|first4 = Douglas|last4 = Stebila}}</ref><ref name=":1" /> |
||
== Background == |
== Background == |
||
Developments in [[quantum computing]] over the past decade and the optimistic prospects for real quantum computers within 20 years have begun to threaten the basic cryptography that secures the internet.<ref>{{Cite web|title = Quantum computing breakthrough claim from IBM|url = http://www.cio.co.uk/news/r-and-d/quantum-computing-breakthrough-claim-from-ibm-3609914/|accessdate = 2015-06-01|first = Agam|last = Shah}}</ref> A relatively small [[quantum computer]] capable of processing only ten thousand of bits of information would easily break all of the the widely used [[Public-key cryptography|public key]] cryptography algorithms used to protect privacy and digitally sign information on the internet.<ref>{{Cite journal|title = Efficient Networks for Quantum Factoring|url = http://arxiv.org/abs/quant-ph/9602016|journal = Physical Review A|date = 1996|issn = 1050-2947|pages = 1034-1063|volume = 54|issue = 2|doi = 10.1103/PhysRevA.54.1034|first = David|last = Beckman|first2 = Amalavoyal N.|last2 = Chari|first3 = Srikrishna|last3 = Devabhaktuni|first4 = John|last4 = Preskill}}</ref><ref name=":3" /><ref name=":2" /> |
Developments in [[quantum computing]] over the past decade and the optimistic prospects for real quantum computers within 20 years have begun to threaten the basic cryptography that secures the internet.<ref>{{Cite web|title = Quantum computing breakthrough claim from IBM|url = http://www.cio.co.uk/news/r-and-d/quantum-computing-breakthrough-claim-from-ibm-3609914/|accessdate = 2015-06-01|first = Agam|last = Shah}}</ref><ref>{{Cite news|title = Researchers Report Milestone in Developing Quantum Computer|url = http://www.nytimes.com/2015/03/05/science/quantum-computing-nature-google-uc-santa-barbara.html|newspaper = The New York Times|date = 2015-03-04|access-date = 2015-07-05|issn = 0362-4331|first = John|last = Markoff}}</ref> A relatively small [[quantum computer]] capable of processing only ten thousand of bits of information would easily break all of the the widely used [[Public-key cryptography|public key]] cryptography algorithms used to protect privacy and digitally sign information on the internet.<ref>{{Cite journal|title = Efficient Networks for Quantum Factoring|url = http://arxiv.org/abs/quant-ph/9602016|journal = Physical Review A|date = 1996|issn = 1050-2947|pages = 1034-1063|volume = 54|issue = 2|doi = 10.1103/PhysRevA.54.1034|first = David|last = Beckman|first2 = Amalavoyal N.|last2 = Chari|first3 = Srikrishna|last3 = Devabhaktuni|first4 = John|last4 = Preskill}}</ref><ref name=":3" /><ref name=":2" /> |
||
One of the most widely used public key algorithm used to create [[digital signatures]] is known as [[RSA]].<ref>{{Cite journal|title = RSA Cryptosystem|url = https://en.wikipedia.org/wiki/RSA_%2528cryptosystem%2529|language = en}}</ref> Its security is based on the classical difficulty of factoring the product of two large and unknown primes into the constituent primes. The [[integer factorization problem]] is believed to be intractable on any conventional computer if the primes are chosen at random and are sufficiently large.<ref>{{Cite journal|title = Integer factorization records|url = https://en.wikipedia.org/w/index.php?title=Integer_factorization_records&oldid=669003206|date = 2015|language = en}}</ref> However, to factor the product of two n-bit primes, a quantum computer with roughly 6n bits of logical [[qubit]] memory and capable of executing a program known as [[Shor's algorithm|Shor’s algorithm]] will easily accomplish the task.<ref>{{Cite journal|title = Oversimplifying quantum factoring|url = http://www.nature.com/nature/journal/v499/n7457/full/nature12290.html|journal = Nature|date = July 11, 2013|issn = 0028-0836|pages = 163-165|volume = 499|issue = 7457|doi = 10.1038/nature12290|language = en|first = John A.|last = Smolin|first2 = Graeme|last2 = Smith|first3 = Alexander|last3 = Vargo}}</ref> Shor's algorithm can also quickly break digital signatures based on what is known as the [[discrete logarithm]] problem and the more esoteric [[Elliptic curve cryptography|elliptic curve discrete logarithm]] problem.<ref name=":3" /> In effect, a relatively small quantum computer running Shor's algorithm could quickly break all of the digital signatures used to ensure the privacy and integrity of information on the internet today.<ref name=":3" /> |
One of the most widely used public key algorithm used to create [[digital signatures]] is known as [[RSA]].<ref>{{Cite journal|title = RSA Cryptosystem|url = https://en.wikipedia.org/wiki/RSA_%2528cryptosystem%2529|language = en}}</ref> Its security is based on the classical difficulty of factoring the product of two large and unknown primes into the constituent primes. The [[integer factorization problem]] is believed to be intractable on any conventional computer if the primes are chosen at random and are sufficiently large.<ref>{{Cite journal|title = Integer factorization records|url = https://en.wikipedia.org/w/index.php?title=Integer_factorization_records&oldid=669003206|date = 2015|language = en}}</ref> However, to factor the product of two n-bit primes, a quantum computer with roughly 6n bits of logical [[qubit]] memory and capable of executing a program known as [[Shor's algorithm|Shor’s algorithm]] will easily accomplish the task.<ref>{{Cite journal|title = Oversimplifying quantum factoring|url = http://www.nature.com/nature/journal/v499/n7457/full/nature12290.html|journal = Nature|date = July 11, 2013|issn = 0028-0836|pages = 163-165|volume = 499|issue = 7457|doi = 10.1038/nature12290|language = en|first = John A.|last = Smolin|first2 = Graeme|last2 = Smith|first3 = Alexander|last3 = Vargo}}</ref> Shor's algorithm can also quickly break digital signatures based on what is known as the [[discrete logarithm]] problem and the more esoteric [[Elliptic curve cryptography|elliptic curve discrete logarithm]] problem.<ref name=":3" /> In effect, a relatively small quantum computer running Shor's algorithm could quickly break all of the digital signatures used to ensure the privacy and integrity of information on the internet today.<ref name=":3" /> |
||
Even though we do not know when a quantum computer to break RSA and other digital signature algorithms will exist, there has been active research over the past decade to create cryptographic algorithms which remain secure even when an attacker has the resources of a quantum computer at their disposal.<ref name=":2" /> This new area of cryptography is called [[Post-quantum cryptography|Post Quantum]] or [[Quantum Safe Cryptography|Quantum Safe]] cryptography.<ref name=":2" /> This article is about one class of these algorithms: digital signatures based on the Ring [[Learning with errors|Learning with Errors]] problem. The use of this problem in cryptography was introduced by Oded Regev in 2005 and has been the source of several cryptographic designs.<ref>{{Cite web|title = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|url = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|website = www.cims.nyu.edu|accessdate = 2015-05-24}}</ref> |
Even though we do not know when a quantum computer to break RSA and other digital signature algorithms will exist, there has been active research over the past decade to create cryptographic algorithms which remain secure even when an attacker has the resources of a quantum computer at their disposal.<ref name=":2" /> <ref name=":4">{{Cite web|title = Introduction|url = http://pqcrypto.org/|website = pqcrypto.org|accessdate = 2015-07-05}}</ref><ref>{{Cite journal|title = Post-quantum cryptography|url = https://en.wikipedia.org/w/index.php?title=Post-quantum_cryptography&oldid=668208432|date = 2015|language = en}}</ref> This new area of cryptography is called [[Post-quantum cryptography|Post Quantum]] or [[Quantum Safe Cryptography|Quantum Safe]] cryptography.<ref name=":2" /><ref name=":4" /> This article is about one class of these algorithms: digital signatures based on the Ring [[Learning with errors|Learning with Errors]] problem. The use of this problem in cryptography was introduced by Oded Regev in 2005 and has been the source of several cryptographic designs.<ref>{{Cite web|title = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|url = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|website = www.cims.nyu.edu|accessdate = 2015-05-24}}</ref> |
||
An important feature of certain algorithms based on Ring-Learning with Errors is their provable reduction to known hard problems.<ref>{{Cite web|title = What does GCHQ's “cautionary tale” mean for lattice cryptography?|url = http://www.cc.gatech.edu/~cpeikert/soliloquy.html|website = www.cc.gatech.edu|accessdate = 2015-07-05}}</ref> The signature described below has a provable reduction to the [[Shortest vector problem|Shortest Vector Problem]] in an [[Ideal lattice cryptography|ideal lattice]].<ref name=":0" /> This means that if an attack can be found on the Ring-LWE cryptosystem then a whole class of presumed hard computational problems will have a solution.<ref>{{Cite journal|title = The shortest vector in a lattice is hard to approximate to within some constant|url = http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.109.7305|journal = in Proc. 39th Symposium on Foundations of Computer Science|date = 1998|pages = 92–98|first = Daniele|last = Micciancio}}</ref> |
An important feature of certain algorithms based on Ring-Learning with Errors is their provable reduction to known hard problems.<ref>{{Cite journal|title = On ideal lattices and learning with errors over rings|url = http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.297.6108|publisher = Springer|journal = In Proc. of EUROCRYPT, volume 6110 of LNCS|date = 2010|pages = 1–23|first = Vadim|last = Lyubashevsky|first2 = Chris|last2 = Peikert|first3 = Oded|last3 = Regev}}</ref><ref>{{Cite web|title = What does GCHQ's “cautionary tale” mean for lattice cryptography?|url = http://www.cc.gatech.edu/~cpeikert/soliloquy.html|website = www.cc.gatech.edu|accessdate = 2015-07-05}}</ref> The signature described below has a provable reduction to the [[Shortest vector problem|Shortest Vector Problem]] in an [[Ideal lattice cryptography|ideal lattice]].<ref name=":0" /> This means that if an attack can be found on the Ring-LWE cryptosystem then a whole class of presumed hard computational problems will have a solution.<ref>{{Cite journal|title = The shortest vector in a lattice is hard to approximate to within some constant|url = http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.109.7305|journal = in Proc. 39th Symposium on Foundations of Computer Science|date = 1998|pages = 92–98|first = Daniele|last = Micciancio}}</ref> |
||
The first RLWE-SIG was developed by Lyubashevsky in his paper "Lattice Signatures Without Trapdoors" in 2011.<ref name=":1">{{Cite journal|title = Lattice Signatures Without Trapdoors|url = http://eprint.iacr.org/2011/537|date = 2011|first = Vadim|last = Lyubashevsky}}</ref> A number of refinements and variants have followed. This article highlights some features of a RLWE-SIG which closely follows the original Lyubashevsky work and is due to the work of Guneysu, Lyubashevsky and Popplemann ([http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf GLP]).<ref name=":0" /> A later section of this article provides references to other signatures based on Lyubashevsky's original work. |
The first RLWE-SIG was developed by Lyubashevsky in his paper "Lattice Signatures Without Trapdoors" in 2011.<ref name=":1">{{Cite journal|title = Lattice Signatures Without Trapdoors|url = http://eprint.iacr.org/2011/537|date = 2011|first = Vadim|last = Lyubashevsky}}</ref> A number of refinements and variants have followed. This article highlights some features of a RLWE-SIG which closely follows the original Lyubashevsky work and is due to the work of Guneysu, Lyubashevsky and Popplemann ([http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf GLP]).<ref name=":0" /> A later section of this article provides references to other signatures based on Lyubashevsky's original work. |
Revision as of 12:35, 5 July 2015
This article is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic. (July 2015) |
This article may be too technical for most readers to understand.(July 2015) |
Digital Signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, all of the public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer.[1][2] New digital signature algorithms such as the Ring learning with errors signature (RLWE-SIG) described in this article are examples of a new class of Quantum Safe cryptographic algorithms designed to resist cryptanalytic attacks run on a quantum computer.[3][4]
Background
Developments in quantum computing over the past decade and the optimistic prospects for real quantum computers within 20 years have begun to threaten the basic cryptography that secures the internet.[5][6] A relatively small quantum computer capable of processing only ten thousand of bits of information would easily break all of the the widely used public key cryptography algorithms used to protect privacy and digitally sign information on the internet.[7][2][1]
One of the most widely used public key algorithm used to create digital signatures is known as RSA.[8] Its security is based on the classical difficulty of factoring the product of two large and unknown primes into the constituent primes. The integer factorization problem is believed to be intractable on any conventional computer if the primes are chosen at random and are sufficiently large.[9] However, to factor the product of two n-bit primes, a quantum computer with roughly 6n bits of logical qubit memory and capable of executing a program known as Shor’s algorithm will easily accomplish the task.[10] Shor's algorithm can also quickly break digital signatures based on what is known as the discrete logarithm problem and the more esoteric elliptic curve discrete logarithm problem.[2] In effect, a relatively small quantum computer running Shor's algorithm could quickly break all of the digital signatures used to ensure the privacy and integrity of information on the internet today.[2]
Even though we do not know when a quantum computer to break RSA and other digital signature algorithms will exist, there has been active research over the past decade to create cryptographic algorithms which remain secure even when an attacker has the resources of a quantum computer at their disposal.[1] [11][12] This new area of cryptography is called Post Quantum or Quantum Safe cryptography.[1][11] This article is about one class of these algorithms: digital signatures based on the Ring Learning with Errors problem. The use of this problem in cryptography was introduced by Oded Regev in 2005 and has been the source of several cryptographic designs.[13]
An important feature of certain algorithms based on Ring-Learning with Errors is their provable reduction to known hard problems.[14][15] The signature described below has a provable reduction to the Shortest Vector Problem in an ideal lattice.[16] This means that if an attack can be found on the Ring-LWE cryptosystem then a whole class of presumed hard computational problems will have a solution.[17]
The first RLWE-SIG was developed by Lyubashevsky in his paper "Lattice Signatures Without Trapdoors" in 2011.[4] A number of refinements and variants have followed. This article highlights some features of a RLWE-SIG which closely follows the original Lyubashevsky work and is due to the work of Guneysu, Lyubashevsky and Popplemann (GLP).[16] A later section of this article provides references to other signatures based on Lyubashevsky's original work.
A RLWE-SIG works in the quotient ring of polynomials modulo a degree n polynomial Φ(x) with coefficients in the finite field Fq for an odd prime q ( i.e. the ring Fq[x]/Φ(x) ).[4] Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod Φ(x). For this presentation a typical polynomial is expressed as:
The field Fq has its representative elements in the set { -(q-1)/2, ...-1, 0, 1, ... (q-1)/2 }. The polynomial Φ(x) will be xn + 1.
Generating "Small" Polynomials.
A RLWE-SIG uses polynomials which are considered "small" with respect to a measure called the "infinity norm". The infinity norm for a polynomial is simply the largest absolute value of the coefficients of the polynomial .[16] The signature algorithm will create random polynomials which are small with respect to a particular infinity norm bound. This is easily done by randomly generating all of the coefficients of the polynomial (a0, ..., an-1) in a manner which is guaranteed or very likely to be less than or equal to this bound. In the literature on Ring Learning with Errors, there are two common ways to do this:[4]
- Using Uniform Sampling - The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let b be an integer that is much less than q. If we randomly choose polynomial coefficients from the set: { -b, -b+1, -b+2. ... -2, -1, 0, 1, 2, ... , b-2, b-1, b} the infinity norm of the polynomial will be ≤ (b).
- Using Discrete Gaussian Sampling - For an odd integer q, the coefficients are randomly chosen by sampling from the set { -(q-1)/2 to (q-1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter σ. The references provide more details on this method.
In the RLWE-SIG of Gunesyu, Lyubashevsky, and Popplemann used as an example below, coefficients for the "small" polynomials will use the uniform sampling method and the value b will be much smaller than the value q.[16]
Hashing to a "Small" Polynomial
Most RLWE-SIG algorithms also require the ability to cryptographically hash arbitrary bit strings into small polynomials according to some distribution. The example below uses a hash function, HASH(ω), which accepts a bit string, ω, as input and outputs a polynomial with n coefficients such that exactly k of these coefficients are either -1 or 1 and the remaining coefficients are 0. The GLP paper provides details on one way this can be easily done.[16]
Rejection Sampling
An key feature of RLWE-SIG algorithms is the use of a technique known as rejection sampling.[4] In this technique if the infinity norm of a signature polynomial exceeds a fixed bound, β, that polynomial will be discarded and the signing process will begin again. This process will be repeated until the infinity norm of the signature polynomial is less than or equal to the bound. Rejection sampling ensures that the output signature is not exploitably correlated with the signer's secret key values.
In the example which follows, the bound, β, will be (b - k), where b is the range of the uniform sampling described above.[16]
Other Parameters
Following GLP and as noted above, the maximum degree of the polynomials will be n-1 and therefore have n coefficients.[16] Typical values for n are 512, and 1024.[16] The coefficients of these polynomials will be from the field Fq where q is an odd prime congruent to 1 mod 4. For n =512 the authors of GLP set q to be a 22 bit prime and the corresponding b value to be 214. For n=1024, GLP sets q to be a 23-bit prime and b to be 215.[16] The number of non-zero coefficients produced by the hash function (k) is equal to 32 for both cases.[16] The security of the signature scheme is closely tied to the relative sizes of n, q, b, and k. Details on setting these parameters can be found in references 5 and 6 below.[4][16]
The polynomial Φ(x) which defines the ring of polynomials used will be xn + 1. Finally, a(x) will be a randomly chosen and fixed polynomial with coefficients from the set { -(q-1)/2 to (q-1)/2 }. All signers and verifiers of signatures will know n, q, b, k, Φ(x), a(x) and β = b-k
Public Key Generation
An entity wishing to sign messages generates its public key through the following steps:
- Generate two small polynomials s0(x) and s1(x) with coefficients chosen uniformly from the set {-1, 0, 1}
- Compute t(x) = a(x)·s0(x) + s1(x)
- Distribute t(x) as the entity's public key
The polynomials s0(x) and s1(x) serve as the private key and t(x) is the corresponding private key. The security of this signature scheme is based on the following problem. Given a polynomial t(x) find small polynomials f1(x) and f2(x) such that: a(x)·f1(x) + f2(x) = t(x)
If this problem is difficult to solve, then the signature scheme will be will be difficult to forge. [See the Wikipedia article on Ideal Lattice Cryptography for more details on the theoretical difficulty of this problem]
Signature Generation
Following GLP[16], to sign a message m expressed as a bit string, the signing entity does the following:
- Generate two small polynomials y0(x) and y1(x) with coefficients from the set {-b, ..., 0, ...., b}
- Compute w(x) = a(x)·y0(x) + y1(x)
- Map w(x) into a bit string ω
- Compute c(x) = HASH(ω | m) (This is a polynomial with k non-zero coefficients. The "|" denotes concatenation of strings)
- Compute z0(x) = s0(x)·c(x) + y0(x)
- Compute z1(x) = s1(x)·c(x) + y1(x)
- Until the infinity norms of z0(x) and z1(x) ≤ β go to step 1. (This is the rejection sampling step noted above)
- The signature is the triple of polynomials c(x), z0(x) and z1(x)
- Transmit the message along with c(x), z0(x) and z1(x) to the verifier.
Signature Verification
Following GLP[16], to verify a message m expressed as a bit string, the verifying entity must posses the signer's public key (t(x)), the signature (c(x), z0(x), z1(x)), and the message m. The verifier does the following:
- Verify that the infinity norms of z0(x) and z1(x) ≤ β , if not reject the signature.
- Compute w'(x) = a(x)·z0(x) + z1(x) - t(x)c(x)
- Map w'(x) into a bit string ω'
- Compute c'(x) = HASH(ω' | m)
- If c'(x) ≠ c(x) reject the signature, otherwise accept the signature as valid.
Notice that:
a(x)·z0(x) + z1(x) - t(x)c(x) = a(x)·[s0(x)·c(x) + y0(x)] + z1(x) - [a(x)·s0(x) + s1(x)]c(x)
= a(x)·y0(x) + z1(x) - s1(x)·c(x)
= a(x)y0(x) + s1(x)·c(x) + y1(x) - s1(x)·c(x)
= a(x)y0(x) + y1(x) = w(x) (as defined above)
This brief derivation demonstrates that the verification process will have c'(x) = c(x) if the signature was not tampered with.
Other Approaches
There are a number of other cryptographic signatures based on lattices over polynomial rings though not specifically in the Ring Learning With Errors construct explained by Lyubashevsky in his "Lattice Signatures without Trapdoors".[4] Among these are the Learning with Errors Approach by Bai and Galbraith (which has a Ring-LWE variant) and the Trapdoor Lattice approach by Ducas, Durmas, Lepoint and Lyubashevsky [18][19].
Further Reading
- The original Learning with Errors paper by Oded Regev.[20] (updated version here)
- The original Learning with Errors Signature paper by Lyubashevsky.[4] (here)
- The Gunesyu, Lyubashevsky, and Poppelmann RLWE-SIG paper.[16] (here)
References
- ^ a b c d Dahmen-Lhuissier, Sabine. "ETSI - Quantum-Safe Cryptography". ETSI. Retrieved 2015-07-05.
- ^ a b c d "Shor's Algorithm".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Bos, Joppe W.; Costello, Craig; Naehrig, Michael; Stebila, Douglas (2014). "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ a b c d e f g h Lyubashevsky, Vadim (2011). "Lattice Signatures Without Trapdoors".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Shah, Agam. "Quantum computing breakthrough claim from IBM". Retrieved 2015-06-01.
- ^ Markoff, John (2015-03-04). "Researchers Report Milestone in Developing Quantum Computer". The New York Times. ISSN 0362-4331. Retrieved 2015-07-05.
- ^ Beckman, David; Chari, Amalavoyal N.; Devabhaktuni, Srikrishna; Preskill, John (1996). "Efficient Networks for Quantum Factoring". Physical Review A. 54 (2): 1034–1063. doi:10.1103/PhysRevA.54.1034. ISSN 1050-2947.
- ^ "RSA Cryptosystem".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "Integer factorization records". 2015.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Smolin, John A.; Smith, Graeme; Vargo, Alexander (July 11, 2013). "Oversimplifying quantum factoring". Nature. 499 (7457): 163–165. doi:10.1038/nature12290. ISSN 0028-0836.
- ^ a b "Introduction". pqcrypto.org. Retrieved 2015-07-05.
- ^ "Post-quantum cryptography". 2015.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf" (PDF). www.cims.nyu.edu. Retrieved 2015-05-24.
{{cite web}}
: External link in
(help)|title=
- ^ Lyubashevsky, Vadim; Peikert, Chris; Regev, Oded (2010). "On ideal lattices and learning with errors over rings". In Proc. of EUROCRYPT, volume 6110 of LNCS. Springer: 1–23.
- ^ "What does GCHQ's "cautionary tale" mean for lattice cryptography?". www.cc.gatech.edu. Retrieved 2015-07-05.
- ^ a b c d e f g h i j k l m n Güneysu, Tim; Lyubashevsky, Vadim; Pöppelmann, Thomas (2012). "Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems". In Prouff, Emmanuel; Schaumont, Patrick (eds.). Cryptographic Hardware and Embedded Systems – CHES 2012. Lecture Notes in Computer Science. Vol. 7428. Springer Berlin Heidelberg. pp. 530–547. doi:10.1007/978-3-642-33027-8_31. ISBN 978-3-642-33026-1.
- ^ Micciancio, Daniele (1998). "The shortest vector in a lattice is hard to approximate to within some constant". in Proc. 39th Symposium on Foundations of Computer Science: 92–98.
- ^ Bai, Shi; Galbraith, Steven D. (2013). "An improved compression technique for signatures based on learning with errors".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Ducas, Léo; Durmus, Alain; Lepoint, Tancrède; Lyubashevsky, Vadim (2013). "Lattice Signatures and Bimodal Gaussians".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Regev, Oded (2005). "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography". In STOC. ACM Press: 84–93.