# How to Construct Polar Codes for Ring-LWE-Based Public Key Encryption

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Error-Correcting for Ring-LWE-Based Public Key Encryption

#### 1.2. Contribution

- We formulated the RLWE-based PKE as an i.i.d. mod $2\mathbb{Z}$ additive Gaussian noise channel with channel state information (CSI) available to the receiver under a relaxed “independence” assumption;
- (a)
- Given the residue noise term $e\xb7t-s\xb7{e}^{\prime}+{e}^{\u2033}$, we formulated the RLWE-based PKE as a mod $2\mathbb{Z}$ additive Gaussian noise channel within exactly one code block. We assumed the mod $2\mathbb{Z}$ additive Gaussian channel to be independent under a relaxed assumption compared to the one in [15];
- (b)
- Alice, the decoder, can considerably improve the DFR by exploiting the advantage that the polynomials e and s are generated on her side and she can figure out the precise distribution of the Gaussian noise;

- We employed a telecommunication-engineering strategy, namely outage, to construct polar codes for RLWE-based PKE. The encoding and decoding routines allow quasilinear (i.e., $\left(N{log}_{2}N\right)$) and constant-time implementations. Experimental results and theoretical estimation of DFR are also given. Specifically, we derived a new DFR of ${2}^{-149}$ by SC decoding for NewHope parameters $q=$ 12,289, $n=1024$ and code rate = 0.25 and a larger central binomial parameter $k=55$. The DFR margin enabled us to improve the security by $28.8\%$ while keeping the target DFR of ${2}^{-140}$ (as is the benchmark in the work of [15,18]) achievable.

#### 1.3. Roadmap

## 2. Preliminaries

#### 2.1. Ring-LWE Public Key Encryption Scheme

- Alice firstly samples $a\in {R}_{q}$ uniformly at random, then she samples a secret key s together with an error e according to $\chi $. She publishes as the public key a ring-LWE sample $(a,b)=(a,a\phantom{\rule{3.33333pt}{0ex}}\xb7s+e\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q)\in {R}_{q}\times {R}_{q}$;
- Bob encrypts a message $m\in {\{0,1\}}^{n}$ as $({c}_{1},{c}_{2})=(a\xb7t+{e}^{\prime}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q,b\xb7t+{e}^{\u2033}+\lfloor \frac{q}{2}\rfloor \xb7m\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q)$, where ${e}^{\prime},{e}^{\u2033},t$ are sampled independently from $\chi $;
- Alice decrypts using s by computing $d:={c}_{2}-{c}_{1}\xb7s=\lfloor \frac{q}{2}\rfloor \xb7m+e\xb7t-s\xb7{e}^{\prime}+{e}^{\u2033}$.

#### 2.2. Channel Models

**Example**

**1.**

**Example**

**2.**

#### 2.3. Polar Codes for BDMS Channels

**Definition**

**1**(Mutual information of BDMS channels)

**.**

**Definition**

**2**

**Proposition**

**1**

**.**For $i=1,\cdots ,N$,

**Theorem**

**1**

**Theorem**

**2**

#### 2.4. Channel Degradation and Upgradation

**Definition**

**3**

**Lemma**

**1**

**Lemma**

**2**

## 3. Materials and Methods

#### 3.1. RLWE-Based PKE Channel Model with Outage

- The key generation step is the same as the RLWE-based PKE instance in Section 2;
- At the encryption step, Bob takes the RLWE channel as a mod$\phantom{\rule{3.33333pt}{0ex}}2\mathbb{Z}$ additive Gaussian channel (To be precise, it is a $\lfloor \frac{q}{2}\rfloor \mathbb{Z}/q\mathbb{Z}$ channel with additive Gaussian noise $\mathcal{N}(0,{r}^{2}{H}^{2})$ or, equivalently, a $\mathbb{Z}/2\mathbb{Z}$ channel. To ease the notation, we instead use the $\mathrm{mod}\phantom{\rule{3.33333pt}{0ex}}2\mathbb{Z}$ channel with input restricted to {0,1}. The two channels are statistically equivalent.) with the Gaussian distribution to be $\mathcal{N}(0,{r}^{2}{H}_{\u03f5}^{2})$. Then, he constructs polar codes of code length $N=n$ for this channel as described in Section 2.3 and carries out encryption as normal;
- At the decryption step, Alice firstly calculates $H=\sqrt{1+{\sum}_{1}^{n}{e}_{i}^{2}+{\sum}_{1}^{n}{s}_{i}^{2}}$. If $H>{H}_{\u03f5}$, Alice goes back to the key generation step, and the whole process is restarted; otherwise, she decrypts and carries out SC decoding for the mod $2\mathbb{Z}$ channel with additive Gaussian noise $\mathcal{N}(0,{r}^{2}{H}^{2})$. (An explicit illustration of polar encoding and decoding is given in Section 3.3.)

#### 3.2. The Soundness and Security of the Proposed Scheme

**Lemma**

**3.**

**Proof.**

**Definition**

**4**

- 1
- $Gen\left({1}^{n}\right)$ is run to obtain keys $(pk,sk)$;
- 2
- Adversary $\mathcal{A}$ is given $pk$, as well as oracle access to $En{c}_{pk}(\xb7)$. The adversary outputs a pair of messages ${m}_{0},{m}_{1}$ of the same length (these messages must be in the plaintext space associated with $pk$);
- 3
- A random bit $b\leftarrow \{0,1\}$ is chosen, and then, a ciphertext $c\leftarrow En{c}_{pk}\left({m}_{b}\right)$ is computed and given to $\mathcal{A}$. We call c the challenge ciphertext;
- 4
- $\mathcal{A}$ continues to have access to ${Enc}_{pk}(\xb7)$ and outputs a bit ${b}^{\prime}$;
- 5
- The output of the experiment is defined to be 1 if ${b}^{\prime}=b$, and 0 otherwise.

**Definition**

**5**

**Proposition**

**2.**

**Proof.**

#### 3.3. Polar Encoding and SC Decoding for RLWE Channel Using Outage

**Lemma**

**4.**

**Proof.**

## 4. Results: Decoding Performance Analysis

## 5. Discussion

#### 5.1. Security Improvement

#### 5.2. Constant-Time Implementation

#### 5.3. Complexity and Communication Overhead

## 6. Conclusions

- The polar coding scheme using outage considerably improves the error tolerance. It significantly improves the security level (measured by bits of security) of RLWE-based PKE in the NewHope setting by $28.8\%$, which is as attractive as the highest record in [15];
- The proposed polar coding scheme has lower encoding and decoding complexity at a low code rate compared to other error-correcting schemes in the literature [15]. Furthermore, it intrinsically supports constant-time implementations;
- Compared with the polar coding scheme in [19], this scheme is carried out in polynomial representation and uses the original modulation constellation diagram rather than the shrunk one. This avoids the trouble of switching between the polynomial and canonical representation, and the modulation space is not compromised;
- Since the standard process of RLWE-based PKE is amended, how it will behave under a variety of attacks is left for future work, and we proved it to be at least CPA secure nonetheless.

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Appendix A. Computational Complexity of SC Decoding

## Appendix B. Complexity: LDPC vs. Polar Codes

**Table A1.**Complexity of LDPC and polar decoding (complexity unit: fixed/floating-point numbers) [44].

Coding Scheme | Additions | max(min)/Comparison | Look-Up Table Operations |
---|---|---|---|

LDPC (min-sum) | ${I}_{max}\xb7(2N{d}_{v}+2M)$ | ${I}_{max}\xb7(2{d}_{c}-1)\xb7M$ | — |

LDPC (sum-product) | ${I}_{max}\xb7(2N{d}_{v}+M\xb7(2{d}_{c}-1))$ | — | ${I}_{max}\xb7M\xb7{d}_{c}$ |

Polar (SC) [47] | $N/2{log}_{2}N$ | $N/2{log}_{2}N$ | — |

Polar (SCL) [47,48] | $L\xb7N/2{log}_{2}N$ | $L\xb7N/2{log}_{2}N$ | — |

**Table A2.**Decoding complexity for an information bit length of 200 and a code rate of 1/3 (complexity unit: fixed/floating-point numbers) [44].

Coding Scheme | ${\mathit{d}}_{\mathit{v}}$ | ${\mathit{d}}_{\mathit{c}}$ | ${\mathit{I}}_{\mathit{max}}$ | List Size | Complexity | Percentage |
---|---|---|---|---|---|---|

LDPC (min-sum) | 2.576 | 3.864 | 47 | — | 309,400.40 | 100.0% |

LDPC (sum-product) | 2.576 | 3.864 | 20 | — | 301,149.40 | 97.3% |

Polar SC (200,512) | — | — | — | — | 4808.00 | 1.6% |

Polar SCL (200,512) | — | — | — | 52 | 309,300.57 | 100.0% |

## References

- Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco, France, 30 May–3 June 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 1–23. [Google Scholar]
- Regev, O. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, STOC ’05, Baltimore, MD, USA, 22–24 May 2005; ACM: New York, NY, USA, 2005; pp. 84–93. [Google Scholar]
- Alkim, E.; Ducas, L.; Pöppelmann, T.; Schwabe, P. Post-quantum key exchange—A new hope. In Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16), Austin, TX, USA, 10–12 August 2016; pp. 327–343. [Google Scholar]
- Ding, J.; Xie, X.; Lin, X. A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. IACR Cryptol. EPrint Arch.
**2012**, 2012, 688. [Google Scholar] - Peikert, C. Lattice Cryptography for the Internet. In Post-Quantum Cryptography; Springer International Publishing: Cham, Switzerland, 2014; pp. 197–219. [Google Scholar]
- Fujisaki, E.; Okamoto, T. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 1999; Springer: Berlin/Heidelberg, Germany, 1999; pp. 537–554. [Google Scholar]
- Targhi, E.E.; Unruh, D. Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In Proceedings of the Theory of Cryptography Conference, Beijing, China, 1–3 November 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 192–216. [Google Scholar]
- Saito, T.; Xagawa, K.; Yamakawa, T. Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, 29 April–3 May 2018; Springer: Cham, Switzerland, 2018; pp. 520–551. [Google Scholar]
- Hofheinz, D.; Hövelmanns, K.; Kiltz, E. A modular analysis of the Fujisaki-Okamoto transformation. In Proceedings of the Theory of Cryptography Conference, Baltimore, MD, USA, 12–15 November 2017; Springer: Cham, Switzerland, 2017; pp. 341–371. [Google Scholar]
- D’Anvers, J.P.; Guo, Q.; Johansson, T.; Nilsson, A.; Vercauteren, F.; Verbauwhede, I. Decryption failure attacks on IND-CCA secure lattice-based schemes. In Proceedings of the IACR International Workshop on Public Key Cryptography, Beijing, China, 14–17 April 2019; Springer: Cham, Switzerland, 2019; pp. 565–598. [Google Scholar]
- D’Anvers, J.P.; Rossi, M.; Virdia, F. (One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes. In Proceedings of the Advances in Cryptology—EUROCRYPT 2020, Zagreb, Croatia, 10–14 May 2020; Springer: Cham, Switzerland, 2020; pp. 3–33. [Google Scholar]
- Guo, Q.; Johansson, T.; Yang, J. A novel CCA attack using decryption errors against LAC. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, 8–12 December 2019; Springer: Cham, Switzerland, 2019; pp. 82–111. [Google Scholar]
- Lu, X.; Liu, Y.; Zhang, Z.; Jia, D.; Xue, H.; He, J.; Li, B.; Wang, K.; Liu, Z.; Yang, H. LAC: Practical Ring-LWE Based Public-Key Encryption with Byte-Level Modulus. IACR Cryptol. EPrint Arch.
**2018**, 2018, 1009. [Google Scholar] - Baan, H.; Bhattacharya, S.; Fluhrer, S.; Garcia-Morchon, O.; Laarhoven, T.; Rietman, R.; Saarinen, M.J.O.; Tolhuizen, L.; Zhang, Z. Round5: Compact and Fast Post-quantum Public-Key Encryption. In Post-Quantum Cryptography; Ding, J., Steinwandt, R., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 83–102. [Google Scholar]
- Fritzmann, T.; Pöppelmann, T.; Sepúlveda, M.J. Analysis of Error-Correcting Codes for Lattice-Based Key Exchange. In Proceedings of the Selected Areas in Cryptography—SAC 2018—25th International Conference, Calgary, AB, Canada, 15–17 August 2018; Springer: Cham, Switzerland, 2018; Volume 11349, pp. 369–390. [Google Scholar]
- D’Anvers, J.P.; Vercauteren, F.; Verbauwhede, I. The impact of error dependencies on Ring/Mod-LWE/LWR based schemes. In Proceedings of the International Conference on Post-Quantum Cryptography, Chongqing, China, 10–12 May 2019; Springer: Cham, Switzerland, 2019; pp. 103–115. [Google Scholar]
- D’Anvers, J.P.; Vercauteren, F.; Verbauwhede, I. On the impact of decryption failures on the security of LWE/LWR based schemes. IACR Cryptol. EPrint Arch.
**2018**, 2018, 1089. [Google Scholar] - Song, M.; Lee, S.; Shin, D.; Lee, E.; Kim, Y.; No, J. Analysis of Error Dependencies on Newhope. IEEE Access
**2020**, 8, 45443–45456. [Google Scholar] [CrossRef] - Wang, J.; Ling, C. Polar Coding for Ring-LWE-Based Public Key Encryption. Cryptology ePrint Archive, Report 2021/619. 2021. Available online: https://eprint.iacr.org/2021/619 (accessed on 12 May 2021).
- Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. J. ACM
**2013**, 60, 1–35. [Google Scholar] [CrossRef] - Lyubashevsky, V.; Peikert, C.; Regev, O. A toolkit for ring-LWE cryptography. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, 26–30 May 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 35–54. [Google Scholar]
- Alkim, E.; Ducas, L.; Pöppelmann, T.; Schwabe, P. NewHope without reconciliation. IACR Cryptol. EPrint Arch.
**2016**, 2016, 1157. [Google Scholar] - Hall, E.; Wilson, S. Design and analysis of turbo codes on Rayleigh fading channels. IEEE J. Sel. Areas Commun.
**1998**, 16, 160–174. [Google Scholar] [CrossRef] - Trifonov, P. Design of polar codes for Rayleigh fading channel. In Proceedings of the 2015 International Symposium on Wireless Communication Systems (ISWCS), Brussels, Belgium, 25–28 August 2015; pp. 331–335. [Google Scholar]
- Bravo-Santos, A. Polar codes for the Rayleigh fading channel. IEEE Commun. Lett.
**2013**, 17, 2352–2355. [Google Scholar] [CrossRef] - Liu, S.; Hong, Y.; Viterbo, E. Polar Codes for Block Fading Channels. In Proceedings of the 2017 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), San Francisco, CA, USA, 19–22 March 2017; pp. 1–6. [Google Scholar]
- Zheng, M.; Chen, W.; Ling, C. Polar Coding for Noncoherent Block Fading Channels. In Proceedings of the 2018 10th International Conference on Wireless Communications and Signal Processing (WCSP), Hangzhou, China, 18–20 October 2018; pp. 1–5. [Google Scholar]
- Forney, G.D. Coset codes. I. Introduction and geometrical classification. IEEE Trans. Inf. Theory
**1988**, 34, 1123–1151. [Google Scholar] [CrossRef][Green Version] - Ling, C.; Belfiore, J.C. Achieving AWGN channel capacity with lattice Gaussian coding. IEEE Trans. Inf. Theory
**2014**, 60, 5918–5929. [Google Scholar] [CrossRef][Green Version] - Liu, L.; Yan, Y.; Ling, C.; Wu, X. Construction of Capacity-Achieving Lattice Codes: Polar Lattices. IEEE Trans. Commun.
**2019**, 67, 915–928. [Google Scholar] [CrossRef] - Liu, L.; Ling, C. Polar Codes and Polar Lattices for Independent Fading Channels. IEEE Trans. Commun.
**2016**, 64, 4923–4935. [Google Scholar] [CrossRef] - Arikan, E. Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels. IEEE Trans. Inf. Theory
**2009**, 55, 3051–3073. [Google Scholar] [CrossRef] - Tal, I.; Vardy, A. How to construct polar codes. IEEE Trans. Inf. Theory
**2013**, 59, 6562–6582. [Google Scholar] [CrossRef][Green Version] - Pedarsani, R.; Hassani, S.H.; Tal, I.; Telatar, E. On the construction of polar codes. In Proceedings of the 2011 IEEE International Symposium on Information Theory Proceedings, St. Petersburg, Russia, 31 July–5 August 2011; pp. 11–15. [Google Scholar]
- Mori, R.; Tanaka, T. Performance and construction of polar codes on symmetric binary-input memoryless channels. In Proceedings of the 2009 IEEE International Symposium on Information Theory, Seoul, Korea, 28 June–3 July 2009; pp. 1496–1500. [Google Scholar]
- Mori, R.; Tanaka, T. Performance of polar codes with the construction using density evolution. IEEE Commun. Lett.
**2009**, 13, 519–521. [Google Scholar] [CrossRef] - Mori, R. Properties and Construction of Polar Codes. Master’s Thesis, Kyoto University, Kyoto, Japan, 2010. [Google Scholar]
- Korada, S.B. Polar Codes for Channel and Source Coding; Technical Report; EPFL: Lausanne, Switzerland, 2009. [Google Scholar]
- Srinivasan, R.; Tiba, G. Fast estimation of outage probabilities in MIMO channels. IEEE Trans. Commun.
**2004**, 52, 711–715. [Google Scholar] [CrossRef] - Ioannou, I.; Charalambous, C.D.; Loyka, S. Outage Probability Under Channel Distribution Uncertainty. IEEE Trans. Inf. Theory
**2012**, 58, 6825–6838. [Google Scholar] [CrossRef][Green Version] - Stehlé, D.; Steinfeld, R.; Tanaka, K.; Xagawa, K. Efficient public key encryption based on ideal lattices. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6–10 December 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 617–635. [Google Scholar]
- Jonathan Katz, Y.L. Introduction to Mordern Cryptography; CRC Press: Boca Raton, FL, USA, 2014. [Google Scholar]
- Alkim, E.; Avanzi, R.M.; Bos, J.W.; Ducas, L.; de la Piedra, A.; Pöppelmann, T.; Schwabe, P.; Stebila, D.; Albrecht, M.R.; Orsini, E.; et al. NewHope Algorithm Specifications and Supporting Documentation. Technical Report. 2019. Available online: https://newhopecrypto.org/resources.shtml (accessed on 20 May 2021).
- Sybis, M.; Wesolowski, K.; Jayasinghe, K.; Venkatasubramanian, V.; Vukadinovic, V. Channel Coding for Ultra-Reliable Low-Latency Communication in 5G Systems. In Proceedings of the 2016 IEEE 84th Vehicular Technology Conference (VTC-Fall), Montreal, QC, Canada, 18–21 September 2016; pp. 1–5. [Google Scholar]
- Niu, K.; Chen, K.; Lin, J.; Zhang, Q.T. Polar codes: Primary concepts and practical decoding algorithms. IEEE Commun. Mag.
**2014**, 52, 192–203. [Google Scholar] [CrossRef] - Ryan, W.; Lin, S. Channel Codes: Classical and Modern; Cambridge University Press: Cambridge, UK, 2009. [Google Scholar]
- Balatsoukas-Stimming, A.; Parizi, M.B.; Burg, A. LLR-Based Successive Cancellation List Decoding of Polar Codes. IEEE Trans. Signal Process.
**2015**, 63, 5165–5179. [Google Scholar] [CrossRef][Green Version] - Tal, I.; Vardy, A. List Decoding of Polar Codes. IEEE Trans. Inf. Theory
**2015**, 61, 2213–2226. [Google Scholar] [CrossRef]

**Table 1.**Improved security level of RLWE-based PKE for $n=1024,\phantom{\rule{3.33333pt}{0ex}}q$ = 12,289 using different error-correcting codes.

ECC Schemes | k | DFR | Classical/Quantum (bits) | Improvement | |
---|---|---|---|---|---|

Primal | Dual | ||||

NewHope Round 2 | 8 | ${2}^{-216}$ | 259/235 | 257/233 | – |

Polar codes in this work | 55 | ${2}^{-149}$ | 332/301 | 330/300 | 28.8% |

Polar codes [19] | 16 | ${2}^{-156}$ | 282/256 | 281/255 | 9.4% |

Song et al. [18] | 14 | ${2}^{-156}$ | 278/252 | 276/250 | 7.2% |

Fritzmann et al. [15] | 66 | ${2}^{-140}$ | 341/309 | 338/307 | 31.76% |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Wang, J.; Ling, C. How to Construct Polar Codes for Ring-LWE-Based Public Key Encryption. *Entropy* **2021**, *23*, 938.
https://doi.org/10.3390/e23080938

**AMA Style**

Wang J, Ling C. How to Construct Polar Codes for Ring-LWE-Based Public Key Encryption. *Entropy*. 2021; 23(8):938.
https://doi.org/10.3390/e23080938

**Chicago/Turabian Style**

Wang, Jiabo, and Cong Ling. 2021. "How to Construct Polar Codes for Ring-LWE-Based Public Key Encryption" *Entropy* 23, no. 8: 938.
https://doi.org/10.3390/e23080938