FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ...
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ...
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Security of SWHE over Cyclotomic Rings<br />
� The Ring Learning-with-Errors (RLWE) Problem<br />
� Let B ¿ q. Choose s randomly from Rq. Given many<br />
(linear) polynomials ai(y) = ai0+ai1·y 2 R[y] such that<br />
ai(s) = ei (an Rq-element whose coefficients are smaller than B)<br />
output s.<br />
� How hard is the RLWE Problem?<br />
� [LPR10]: As hard as solving the (q/B)-approximate<br />
shortest vector problem (SVP) on ideal lattices in R.<br />
� As q/B increases, RLWE becomes easier (unless n grows).<br />
� For B ~ poly(k), best known attacks for require 2 k time when<br />
n (the ring dimension) ~ k log(q/B).