There exists a natural trade-off in public key encryption (PKE) schemes based on ring learning with errors (RLWE), namely: we would like a wider error distribution to increase the security, but it comes at the cost of an increased decryption failure rate (DFR). A straightforward solution to this problem is the error-correcting code, which is commonly used in communication systems and already appears in some RLWE-based proposals. However, applying error-correcting codes to those cryptographic schemes is far from simply installing an add-on. Firstly, the residue error term derived by decryption has correlated coefficients, whereas most prevalent error-correcting codes with remarkable error tolerance assume the channel noise to be independent and memoryless. This explains why only simple error-correcting methods are used in existing RLWE-based PKE schemes. Secondly, the residue error term has correlated coefficients leaving accurate DFR estimation challenging even for uncoded plaintext. It can be found in the literature that a tighter DFR estimation can effectively create a DFR margin. Thirdly, most error-correcting codes are not well designed for safety considerations, e.g., syndrome decoding has a nonconstant time nature. A code good at error correcting might be weak under a variety of attacks. In this work, we propose a polar coding scheme for RLWE-based PKE. A relaxed “independence” assumption is used to derive an uncorrelated residue noise term, and a wireless communication strategy, outage, is used to construct polar codes. Furthermore, some knowledge about the residue noise is exploited to improve the decoding performance. With the parameterization of NewHope Round 2, the proposed scheme creates a considerable DRF margin, which gives a competitive security improvement compared to state-of-the-art benchmarks. Specifically, the security is improved by $28.8\%$, while a DFR of $2^{-149}$ is achieved a for code rate pf 0.25, $n=1024,q=$ 12,289, and binomial parameter $k=55$. Moreover, polar encoding and decoding have a quasilinear complexity $O\left(N{log}_{2}N\right)$ and intrinsically support constant-time implementations.

中文翻译：

---

如何为基于环 LWE 的公钥加密构造 Polar 码

基于有错误环学习（RLWE）的公钥加密（PKE）方案存在一个自然的权衡，即：我们希望更广泛的错误分布来提高安全性，但它以增加解密失败为代价率 (DFR)。这个问题的一个直接解决方案是纠错码，它通常用于通信系统并且已经出现在一些基于 RLWE 的提案中。然而，将纠错码应用于这些加密方案远不是简单地安装附加组件。首先，由解密导出的残差项具有相关系数，而大多数具有显着容错性的普遍纠错码假设信道噪声是独立且无记忆的。这解释了为什么在现有的基于 RLWE 的 PKE 方案中只使用简单的纠错方法。其次，残差项具有相关系数，即使对于未编码的明文，准确的 DFR 估计也具有挑战性。在文献中可以发现，更严格的 DFR 估计可以有效地创建 DFR 裕度。第三，出于安全考虑，大多数纠错码都没有很好地设计，例如，校正子解码具有非恒定时间性质。擅长纠错的代码在各种攻击下可能会很弱。在这项工作中，我们为基于 RLWE 的 PKE 提出了一种极性编码方案。宽松的“独立性”假设用于导出不相关的残留噪声项，无线通信策略中断用于构建极性码。此外，利用一些关于残留噪声的知识来提高解码性能。随着 NewHope Round 2 的参数化，所提出的方案创造了相当大的 DRF 余量，与最先进的基准相比，这提供了具有竞争力的安全性改进。具体来说，安全性提高了$28.8\%$，而 DFR 为 $2^{-149}$ 对于码率 pf 0.25 达到 a， $n=1024,q=$ 12289 和二项式参数 $克=55$. 此外，polar 编码和解码具有拟线性复杂度$哦\left(N{日志}_{2}N\right)$ 并且本质上支持恒定时间实现。