TY - JOUR
T1 - Information- and Coding-Theoretic Analysis of the RLWE/MLWE Channel
AU - Maringer, Georg
AU - Puchinger, Sven
AU - Wachter-Zeh, Antonia
N1 - Publisher Copyright:
© 2005-2012 IEEE.
PY - 2023
Y1 - 2023
N2 - Several cryptosystems based on the Ring Learning with Errors (RLWE) problem have been proposed within the NIST post-quantum cryptography standardization process, e.g., NewHope. Furthermore, there are systems like Kyber which are based on the closely related MLWE assumption. Both previously mentioned schemes result in a non-zero decryption failure rate (DFR). The combination of encryption and decryption for these kinds of algorithms can be interpreted as data transmission over a noisy channel. To the best of our knowledge this paper is the first work that analyzes the capacity of this channel. We show how to modify the encryption schemes such that the input alphabets of the corresponding channels are increased. In particular, we present lower bounds on their capacities which show that the transmission rate can be significantly increased compared to standard proposals in the literature. Furthermore, under the common assumption of stochastically independent coefficient failures, we give lower bounds on achievable rates based on both the Gilbert-Varshamov bound and concrete code constructions using BCH codes. By means of our constructions, we can either increase the total bitrate (by a factor of 1.84 for Kyber and by factor of 7 for NewHope) while guaranteeing the same DFR or for the same bitrate, we can significantly reduce the DFR for all schemes considered in this work (e.g., for NewHope from 2-216 to 2-12769).
AB - Several cryptosystems based on the Ring Learning with Errors (RLWE) problem have been proposed within the NIST post-quantum cryptography standardization process, e.g., NewHope. Furthermore, there are systems like Kyber which are based on the closely related MLWE assumption. Both previously mentioned schemes result in a non-zero decryption failure rate (DFR). The combination of encryption and decryption for these kinds of algorithms can be interpreted as data transmission over a noisy channel. To the best of our knowledge this paper is the first work that analyzes the capacity of this channel. We show how to modify the encryption schemes such that the input alphabets of the corresponding channels are increased. In particular, we present lower bounds on their capacities which show that the transmission rate can be significantly increased compared to standard proposals in the literature. Furthermore, under the common assumption of stochastically independent coefficient failures, we give lower bounds on achievable rates based on both the Gilbert-Varshamov bound and concrete code constructions using BCH codes. By means of our constructions, we can either increase the total bitrate (by a factor of 1.84 for Kyber and by factor of 7 for NewHope) while guaranteeing the same DFR or for the same bitrate, we can significantly reduce the DFR for all schemes considered in this work (e.g., for NewHope from 2-216 to 2-12769).
KW - RLWE/MLWE channel
KW - Ring/Module LWE
KW - channel capacity
KW - error correcting codes
UR - http://www.scopus.com/inward/record.url?scp=85144811490&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2022.3226907
DO - 10.1109/TIFS.2022.3226907
M3 - Article
AN - SCOPUS:85144811490
SN - 1556-6013
VL - 18
SP - 549
EP - 564
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
ER -