How (Not) to Instantiate Ring-LWE. - Internet Archive Scholar

This holds for the ring of integers in any number field, so the rings themselves are not the source of insecurity in the vulnerable instantiations. ... In all cases, the insecurity of an instantiation is due to the fact that the error distribution is insufficiently "well spread" relative to the ring. ... I thank Léo Ducas, Kristin Lauter, Vadim Lyubashevsky, Oded Regev, and Katherine Stange for many valuable discussions and comments on topics related to this work. ...

doi:10.1007/978-3-319-44618-9_22 fatcat:yndp4zo73jbczibngeyzpd6e5e

The security of our construction relies on the intractability of the learning with errors (LWE) problem. ... construction transforms a boolean circuit C : {0, 1} n → {0, 1} m into a "garbled circuit"Ĉ along with n pairs of k-bit keys, one for each input bit, such thatĈ together with the n keys corresponding to ... While we do not know how to implement the primitive over finite fields (nor can we rule out the existence of such an implementation), we implement a similar primitive over the integers under the LWE assumption ...

doi:10.1109/focs.2011.40 dblp:conf/focs/ApplebaumIK11 fatcat:pkzcfake7bdq3lypifmq43czty

The security of our construction relies on the intractability of the learning with errors (LWE) problem. ... construction transforms a boolean circuit C : {0, 1} n → {0, 1} m into a "garbled circuit" Ĉ along with n pairs of k-bit keys, one for each input bit, such that Ĉ together with the n keys corresponding to ... While we do not know how to implement the primitive over finite fields (nor can we rule out the existence of such an implementation), we implement a similar primitive over the integers under the LWE assumption ...

doi:10.1137/120875193 fatcat:y2ffhu4msvhyhowz7njcqn6dpu

Huaxiong (2012) NTRUCCA : how to strengthen NTRUEncrypt to chosenciphertext security in the standard model. Abstract. ... To our knowledge, our result gives the rst IND-CCA2 secure variant of NTRUEncrypt in the standard model, based on standard cryptographic assumptions. ... Until very recently, it was unknown how to instantiate the most ecient scheme from [1] based on Ring-LWE with a poly-time reduction from worstcase problems in ideal lattices, but this has now been resolved ...

doi:10.1007/978-3-642-30057-8_21 fatcat:5pcdq34otjbexajswvgq5gyi64

In this paper, the first hardware design of the provably secure Ring-LWE digital signature scheme, Ring-TESLA, is presented, targeting a Xilinx Spartan-6 FPGA. ... Lattice-based cryptography is a quantum-safe alternative to existing classical asymmetric cryptography, such as RSA and ECC, which may be vulnerable to future attacks in the event of the creation of a ... However, the hardness assumptions of NTRU is not related to the hardness of worst-case lattice problems, a useful property of Ring-LWE [8] . ...

doi:10.1109/iscas.2017.8050566 dblp:conf/iscas/HoweRKO17 fatcat:cxdf3fic3nceranlqobzsoukhe

Our results contribute to the practical evaluation of a post-quantum standardization candidate. ... Due to the large parameters, standard latticebased schemes have long been considered impractical on embedded devices. ... We would also like to thank the anonymous reviewers for their very valuable and helpful feedback. ...

doi:10.13154/tches.v2018.i3.372-393 dblp:journals/tches/HoweOKG18 fatcat:st44pel5lje3fao6qxu2lgbzoa

DOAJ OJS

Specifically, we show how to encode any polynomial-time computable function f : {0, 1} n → {0, 1} m(n) with online rate of 1+o(1) and with nearly linear online computation. ... These constructions can be based on the decisional Diffie-Hellman assumption (DDH), the Learning with Errors assumption (LWE), or the RSA assumption. ... We do not know how to get similar results from general (non-affine) succinct REs. ...

doi:10.1137/130929643 fatcat:pwv2vdym4jeptaawxgca2pygxe

However, their parameters are not chosen according to their provided security reduction, i.e., the instantiation is not provably secure. ... To this end, we provide a tight security reduction for the new scheme from the ring learning with errors problem which allows for provably secure and efficient instantiations. ... which are chosen according to the given security reduction, cf. Section ??. Nevertheless, we achieve good performance with respect to time and space. ...

doi:10.1007/978-3-319-31517-1_3 fatcat:olcpz626wbglvhqaamk2ix7ngu

Specifically, we show how to encode any polynomial-time computable function f : {0, 1} n → {0, 1} m(n) with online rate of 1+o(1) and with nearly linear online computation. ... These constructions can be based on the decisional Diffie-Hellman assumption (DDH), the Learning with Errors assumption (LWE), or the RSA assumption. ... We do not know how to get similar results from general (non-affine) succinct REs. ...

doi:10.1007/978-3-642-40084-1_10 fatcat:e4bhvkik3vcpfccot3c6omgvtq

COMBINER x 1 + kx 2 L2 L1 L1 … CDT TABLE COMBINER L0 L0 BINARY SEARCH STATE MACHINE x 1 x 2 k′ k This also applies to Ring-LWE, Ring-SIS, Module-LWE, and Module-SIS based ... BLISS-III and BLISS-IV as well as BCNS and Ring-LWE parameters can also all share the same base sampler. ...

doi:10.1109/iscas.2018.8351009 dblp:conf/iscas/KhalidHRRO18 fatcat:uwlrihidqbgd3melpslkeg7qde

We prove that Twisted Ring-LWE is secure by providing a security reduction from Ring-LWE to Twisted Ring-LWE in both search and decision forms. ... Although these weak instances are not addressed by worst-case hardness theorems, enabling other ring instantiations enlarges the scope of possible applications and favors the diversification of security ... Author Contributions: All authors contributed to the study conception and design. ...

doi:10.3390/e23091108 pmid:34573733 fatcat:zwn3lmbkmzhgpk7glr4h3tkapi

DOAJ

Our constructions use key-homomorphic pseudorandom functions (one based on DDH and the other on Ring-LWE) and are concretely efficient. ... In recent work, it was shown that this protocol can be efficiently instantiated for semi-honest adversaries (Ben-Efraim et al., ACM CCS 2016). ... Acknowledgements We would like to thank Shalev Keren, Moria Farbstein and Lior Koskas for helping with the code, and to thank Shai Halevi and Vadim Lyubashevsky for helpful discussions on LWE. ...

doi:10.1007/978-3-319-70697-9_17 fatcat:cysaevum25bafk56zdb6b4x5gq

Indeed, we instantiate our system with Paillier, LWE-based, and ring-LWE-based encryption schemes, highlighting the merits and demerits of each instantiation. ... Besides examining the costs of computation and communication, we carefully test our system over real datasets to demonstrate its utility. ... to use additively homomorphic encryption with the homomorphism-aware logistic regression. (3) We show how to instantiate our system with Paillier, LWE-based, and ring-LWE-based encryption, and highlight ...

doi:10.1587/transinf.2015inp0020 fatcat:erfil7oeyvhwtg6q3xsspiplmu

., 2017) to bring lattice-based signature schemes at par with the traditional number-theoretic signature schemes. ... However, the trade-off between the signature size and the key size, time for a signature generation, and the practical and provable security is not necessarily the optimal. ... We are thankful to Kajla Basu for her support. ...

doi:10.5220/0006861606560661 dblp:conf/icete/DasS18 fatcat:eawydz6lkzax3azbovor4p5ujm

One instantiation uses a generator matrix of a binary BCH error-correcting code to "determinstically extract" nearly random bits from a (biased) rounded subset-product. ... In this work we give two concrete and practically efficient instantiations of the BPR design, which we call SPRING, for "subset-product with rounding over a ring." ... with errors" (ring-LWE) problem [LPR10] is hard in R p . ...

doi:10.1007/978-3-662-46706-0_3 fatcat:dkweldpsoffixdfttdglsuljha

How (Not) to Instantiate Ring-LWE [chapter]

Preserved Fulltext

How to Garble Arithmetic Circuits

Preserved Fulltext

How to Garble Arithmetic Circuits

Preserved Fulltext

NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model [chapter]

Preserved Fulltext

Compact and provably secure lattice-based signatures in hardware

Preserved Fulltext

Standard Lattice-Based Key Encapsulation on Embedded Devices

Preserved Fulltext

Encoding Functions with Constant Online Rate, or How to Compress Garbled Circuit Keys

Preserved Fulltext

An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation [chapter]

Preserved Fulltext

Encoding Functions with Constant Online Rate or How to Compress Garbled Circuits Keys [chapter]

Preserved Fulltext

Compact, Scalable, and Efficient Discrete Gaussian Samplers for Lattice-Based Cryptography

Preserved Fulltext

The Ring-LWE Problem in Lattice-Based Cryptography: The Case of Twisted Embeddings

Preserved Fulltext

Efficient Scalable Constant-Round MPC via Garbled Circuits [chapter]

Preserved Fulltext

Privacy-Preserving Logistic Regression with Distributed Data Sources via Homomorphic Encryption

Preserved Fulltext

Compact Lattice Signatures

Preserved Fulltext

SPRING: Fast Pseudorandom Functions from Rounded Ring Products [chapter]

Preserved Fulltext