Open AccessPosted Content
How (Not) to Instantiate Ring-LWE.
Reads0
Chats0
TLDR
Any Ring-LWE instantiation which satisfies or only almost satisfies the hypotheses of the "worst-case hardness of search" theorem is provably immune to broad generalizations of the above-described attacks: the running time divided by advantage is at least exponential in the degree of the ring.Abstract:
The learning with errors over rings Ring-LWE problem--or more accurately, family of problems--has emerged as a promising foundation for cryptography due to its practical efficiency, conjectured quantum resistance, and provable worst-case hardness: breaking certain instantiations of Ring-LWE is at least as hard as quantumly approximating the Shortest Vector Problem on any ideal lattice in the ring.
Despite this hardness guarantee, several recent works have shown that certain instantiations of Ring-LWE can be broken by relatively simple attacks. While the affected instantiations are not supported by worst-case hardness theorems and were not ever proposed for cryptographic purposes, this state of affairs raises natural questions about what other instantiations might be vulnerable, and in particular whether certain classes of rings are inherently unsafe for Ring-LWE.
This work comprehensively reviews the known attacks on Ring-LWE and vulnerable instantiations. We give a new, unified exposition which reveals an elementary geometric reason why the attacks work, and provide rigorous analysis to explain certain phenomena that were previously only exhibited by experiments. In all cases, the insecurity of an instantiation is due to the fact that the error distribution is insufficiently "well spread" relative to the ring. In particular, the insecure instantiations use the so-called non-dual form of Ring-LWE, together with spherical error distributions that are much narrower and of a very different shape than the ones supported by hardness proofs.
On the positive side, we show that any Ring-LWE instantiation which satisfies or only almost satisfies the hypotheses of the "worst-case hardness of search" theorem is provably immune to broad generalizations of the above-described attacks: the running time divided by advantage is at least exponential in the degree of the ring. This holds for the ring of integers in any number field, so the rings themselves are not the source of insecurity in the vulnerable instantiations. Moreover, the hypotheses of the worst-case hardness theorem are nearly minimal ones which provide these immunity guarantees.read more
Citations
More filters
Book ChapterDOI
Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project
TL;DR: The Open Quantum Safe project as discussed by the authors is an open-source software project for prototyping quantum-resistant cryptography, which includes liboqs, a C library of quantum resistant algorithms, and their integrations ofliboqs into popular open source applications and protocols, including OpenSSL library.
Posted Content
Homomorphic Encryption Standard.
Martin R. Albrecht,Melissa E. Chase,Hao Chen,Jintai Ding,Shafi Goldwasser,Sergey Gorbunov,Shai Halevi,Jeffrey Hoffstein,Kim Laine,Kristin E. Lauter,Satya Lokam,Daniele Micciancio,Dustin Moody,Travis Morrison,Amit Sahai,Vinod Vaikuntanathan +15 more
TL;DR: All 6 general-purpose libraries for homomorphic encryption were based on RLWEbased systems, and all implemented one of two encryption schemes described below in Section 3 (BGV or B/FV) and also displayed common choices for the underlying ring, error distribution, and parameter selection.
Journal ArticleDOI
VPQC: A Domain-Specific Vector Processor for Post-Quantum Cryptography Based on RISC-V Architecture
TL;DR: Experimental results show that VPQC can speed up several typical key encapsulation mechanisms (NewHope, Kyber and LAC) by an order of magnitude compared with previous state-of-the-art hardware implementations.
Posted Content
LAC: Practical Ring-LWE Based Public-Key Encryption with Byte-Level Modulus.
TL;DR: The result shows that LAC is more compact than most of the existing (Ring-)LWE based solutions, while achieving a similar level of efficiency, compared with popular solutions in this domain, such as Kyber.
Book ChapterDOI
Algebraically Structured LWE, Revisited
Chris Peikert,Zachary Pepin +1 more
TL;DR: In recent years, there has been a proliferation of algebraically structured Learning With Errors variants, including Ring-LWE, Module-L THE AUTHORS, Polynomial-LWe, Order-Lwe, and Middle-Product LWE, and a web of reductions to support their hardness, but these reductions are often difficult to interpret and use.
References
More filters
Journal ArticleDOI
On lattices, learning with errors, random linear codes, and cryptography
TL;DR: A (classical) public-key cryptosystem whose security is based on the hardness of the learning problem, which is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem that is quantum.
Journal ArticleDOI
On Ideal Lattices and Learning with Errors over Rings
TL;DR: The ring-LWE distribution is pseudorandom as discussed by the authors, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms, which is not the case.
Journal ArticleDOI
Worst-Case to Average-Case Reductions Based on Gaussian Measures
Daniele Micciancio,Oded Regev +1 more
TL;DR: It is shown that finding small solutions to random modular linear equations is at least as hard as approximating several lattice problems in the worst case within a factor almost linear in the dimension of the lattice, and it is proved that the distribution that one obtains after adding Gaussian noise to a lattice has the following interesting property.
Journal ArticleDOI
Noise-tolerant learning, the parity problem, and the statistical query model
TL;DR: The algorithm runs in polynomial time for the case of parity functions that depend on only the first O(log n log log n) bits of input, which provides the first known instance of an efficient noise-tolerant algorithm for a concept class that is not learnable in the Statistical Query model of Kearns [1998].
Book ChapterDOI
Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems
TL;DR: Public-key and symmetric-key cryptosystems that provide security for key-dependent messages and enjoy circular security and a pseudorandom generator that can be computed by a circuit of n ·polylog(n) size are constructed.