Abstract
Middle-product learning with errors (\(\mathsf {MP} \text{- }\mathsf {LWE} \)) is a variant of the \(\mathsf {LWE}\) problem introduced at CRYPTO 2017 by Rosca et al. (Advances in cryptology—CRYPTO, Springer, Berlin, 2017). Asymptotically, the theoretical results of Rosca et al. (2017) suggest that \(\mathsf {MP} \text{- }\mathsf {LWE} \) gives lattice-based public-key cryptosystems offering a ‘security-risk vs. efficiency’ trade-off: higher performance than cryptosystems based on unstructured lattices (\(\mathsf {LWE}\) problem) and lower risk than cryptosystems based on structured lattices (Polynomial/Ring \(\mathsf {LWE}\) problem). However, although promising in theory, Rosca et al. (2017) left the practical implications of \(\mathsf {MP} \text{- }\mathsf {LWE} \) for lattice-based cryptography unclear. In this paper, we show how to build practical public-key cryptosystems with strong security guarantees based on \(\mathsf {MP} \text{- }\mathsf {LWE} \). On the implementation side, we present optimised fast algorithms for computing the middle-product operation over polynomial rings \({\mathbb {Z}}_q[x]\), the dominant computation for \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based cryptosystems. On the security side, we show how to obtain a nearly tight security proof for \(\mathsf {MP} \text{- }\mathsf {LWE} \) from the hardest Polynomial LWE problem over a large family of rings, improving on the loose reduction of Rosca et al. (2017). We also show and analyze an optimised cryptanalysis of \(\mathsf {MP} \text{- }\mathsf {LWE} \) that narrows the complexity gap between best known attacks on \(\mathsf {MP} \text{- }\mathsf {LWE} \) and Polynomial \(\mathsf {LWE}\). To evaluate the practicality of \(\mathsf {MP} \text{- }\mathsf {LWE} \), we apply our results to construct, implement and optimise parameters for a practical \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based public-key cryptosystem, \(\mathsf {Titanium} \), and compare its benchmarks to other lattice-based systems. Our results show that \(\mathsf {MP} \text{- }\mathsf {LWE} \) offers a new ‘security-risk vs. efficiency’ trade-off in lattice-based cryptography in practice, not only asymptotically in theory.
Similar content being viewed by others
Notes
We remark that the risk for Module PLWE may be lower than for PLWE since existing ‘direct’ attacks on Module Polynomial LWE problem require a larger module rank to be solved than for attacks on the \(\mathsf {PLWE} \) instance. But [1] shows at least asymptotically that, at the cost of polynomially-larger error parameter, a poly-time PLWE attack over the ring translates into a poly-time Module PLWE attack over the same ring.
For an attempt to employ Karatsuba for MP computation, the interested reader is referred to https://github.com/kzoacn/PolyMultiply.
Available at https://github.com/raykzhao/Titanium.
Available at https://github.com/pq-crystals/kyber.
References
Albrecht M.R., Amit D.: Large modulus ring-lwe \(\ge \) module-lwe. In: Advances in Cryptology—ASIACRYPT 2017, pp. 267–296 (2017).
Albrecht M.R., Fitzpatrick R., Göpfert F.: On the efficacy of solving LWE by reduction to unique-svp. In: Information Security and Cryptology—ICISC 2013—16th International Conference, Seoul, Korea, 27–29 November, 2013, Revised Selected Papers, pp. 293–310 (2013).
Alkim E., Ducas L., Pöppelmann T., Schwabe P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343 (2016).
Alkim E., Bos JW., Ducas L., Longa P., Mironov I., Naehrig M., Nikolaenko V., Peikert C., Raghunathan A., Stebila D., Easterbrook K., LaMacchia B.: FrodoKEM learning with errors key encapsulation. https://frodokem.org/files/FrodoKEM-specification-20171130.pdf (2017).
Bernstein D.J., Chuengsatiansup C., Lange T., van Vredendaal C.: NTRU Prime. Cryptology ePrint Archive. http://eprint.iacr.org/2016/461 (2016).
Bos J.W., Costello C., Ducas L., Mironov I., Naehrig M., Nikolaenko V., Raghunathan A., Stebila D.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 Oct 2016, pp. 1006–1018 (2016).
Bos J.W., Ducas L., Kiltz E., Lepoint T., Lyubashevsky V., Schanck J.M., Schwabe P., Stehlé D.: CRYSTALS—kyber: a cca-secure module-lattice-based KEM. IACR Cryptology ePrint Archive 2017, 634 (2017).
Boucheron S., Lugosi G., Massart P.: Concentration Inequalities: A Nonasymptotic Theory of Independence. Oxford University Press, Oxford (2013).
Brakerski Z., Vaikuntanathan V.: Efficient fully homomorphic encryption from (standard) LWE. Proceedings of FOCS, pp. 97–106. IEEE Computer Society Press, Washington, DC (2011).
Castryck W., Iliashenko I., Vercauteren F.: Provably weak instances of Ring-LWE revisited. Proceedings of EUROCRYPT, pp. 147–167. Springer, Berlin (2016).
Cramer R., Ducas L., Wesolowski B.: Short Stickelberger class relations and application to Ideal-SVP. Cryptology ePrint Archive. https://eprint.iacr.org/2016/885 (2016).
Cramer R., Ducas L., Peikert C., Regev O.: Recovering short generators of principal ideals in cyclotomic rings. Proceedings of EUOCRYPT. Springer, Berlin (2016).
D’Anvers J-P., Karmakar A., Roy S.S., Vercauteren F.: SABER: Mod-LWR based KEM. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/SABER.zip (2017).
Dodis Y., Ostrovsky R., Reyzin L., Smith A.D.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008).
Eisenträger K., Hallgren S., Lauter K.: Weak instances of PLWE. Proceedings of SAC. Springer, Berlin (2014).
Elias Y., Lauter K.E., Ozman E., Stange K.E.: Provably weak instances of Ring-LWE. Proceedings of CRYPTO. Springer, Berlin (2015).
Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. In: Advances in Cryptology–CRYPTO’99, 19th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August, 1999, pp. 537–554 (1999).
Hanrot G., Quercia M., Zimmermann P.: The middle product algorithm I. Appl. Algebra Eng. Commun. Comput. 14(6), 415–438 (2004).
Harvey D.: Faster arithmetic for number-theoretic transforms. J. Symb. Comput. 60, 113–119 (2014).
Hofheinz D., Hövelmanns K., Kiltz E.: A modular analysis of the Fujisaki–Okamoto transformation. Cryptology ePrint Archive, Report 2017/604 (2017). http://eprint.iacr.org/2017/604.
Kannan R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987).
Laarhoven T., Mosca M., van de Pol J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Cryptogr. 77(2), 375–400 (2015).
Langlois A., Stehlé D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015).
Lyubashevsky V.: Digital signatures based on the hardness of ideal lattice problems in all rings. Proceedings of ASIACRYPT, pp. 196–214. Springer, Berlin (2016).
Lyubashevsky V., Micciancio D.: Generalized compact knapsacks are collision resistant. Proceedings of ICALP, pp. 144–155. Springer, Berlin (2006).
Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. Proceedings of EUROCRYPT. LNCS, pp. 1–23. Springer, Berlin (2010).
NIST. NIST post-quantum competition. http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/call-for-proposals-final-dec-2016.pdf. Accessed 13 June 2017.
NIST. SHA-3 standard: Permutation-based hash and extendable-output functions. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf. Accessed 29 Sept 2017.
Peikert, C.: Lattice cryptography for the internet. In: Post-Quantum Cryptography–6th International Workshop, PQCrypto 2014, Waterloo, ON, Canada, Oct 1–3, 2014, pp. 197–219 (2014).
Peikert C.: How not to instantiate Ring-LWE. Proceedings of SCN. LNCS, vol. 9841, pp. 411–430. Springer, Berlin (2016).
Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of STOC, pp. 84–93 (2005).
Regev O.: On lattices, learning with errors, random linear codes, and cryptography. JACM 56, 34 (2009).
Roşca M., Sakzad A., Stehlé D., Steinfeld R.: Middle-product learning with errors. Advances in Cryptology—CRYPTO 2017, pp. 283–297. Springer, Berlin (2017).
Rosca M., Stehlé D., Wallet A.: On the ring-lwe and polynomial-lwe problems. Advances in Cryptology—EUROCRYPT, vol. 2018, pp. 146–173. Springer, Berlin (2018).
Schnorr C.P.: Lattice Reduction by Random Sampling and Birthday Methods, pp. 145–156. Springer, Berlin (2003).
Seiler G.: Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography. https://eprint.iacr.org/2018/039.pdf (2018).
Sorensen H.V., Burrus C.S.: Efficient computation of the DFT with only a subset of input or output points. IEEE Trans. Signal Process. 41(3), 1184–1200 (1993).
Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. Proceedings of ASIACRYPT, pp. 617–635. Springer, Berlin (2009).
Steinfeld R., Sakzad A., Zhao R.K.: Titanium: post-quantum public-key encryption and Kem algorithms. http://users.monash.edu.au/~rste/Titanium.html. Accessed 1 May 2018.
Steinfeld R., Sakzad A., Zhao R.K.: Titanium: post-quantum public-key encryption and Kem algorithms. NIST PQC Standardisation Process submission. Accessed 1 May 2018.
Funding
Funding was provided by Australian Research Council (Grant No. DP150100285).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Albrecht.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Concrete correctness conditions of \(\mathsf {Titanium\text{- }CPA}\) and computation of \(p_e\)
This Section contains the proof of correctness for our \(\mathsf {Titanium\text{- }CPA}\) algorithm and explains our method of computing a numerical provable upper bound on the error probability of decryption, that is also used in our \(\mathsf {IND} \text{- }\mathsf {CCA} \) security proof. We first define the concept of \(\delta \)-correct \(\mathsf {Titanium\text{- }CPA}\).
Definition 6
Our \(\mathsf {Titanium\text{- }CPA}\) scheme is called \(\delta \)-correct if for any functions f, we have
We remark that the above definition of decryption error probability over the choice of both public key and encryption randomness (for any, even key-dependent, messages), matches the definition of \(\delta \)-correctness in [20], which allows us to apply the security analysis of [20] to the Fujisaki–Okamoto transform applied to \(\mathsf {Titanium\text{- }CPA}\), which yields our \(\mathsf {Titanium\text{- }CCA}\) scheme.
From now on, we let \(p_e\) denotes the LHS of (31). We now analyse the correctness of \(\mathsf {Titanium\text{- }CPA}\). Let us first expand the main operation in decryption of \(\mathsf {Titanium\text{- }CPA}\):
where (32) and (33) are obtained using (1) and Lemma 2, respectively. Therefore, in Decryption algorithm of \(\mathsf {Titanium\text{- }CPA}\) we have
if \(\sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} e_i\) computed over \({\mathbb {Z}}_q^d[x]\) (i.e., with reduction mod q) has coefficients smaller than \(\lfloor q/p \rfloor /2\), i.e., if
with the computations performed over \({\mathbb {Z}}^d[x]\). We upper bound the probability \(p_e\) that (34) does not hold, over the choice of the encryption randomness \((r_1,\ldots ,r_t)\) from the distribution \(\chi _r\) and the choice of key generation errors \((e_1,\ldots ,e_t)\) from the distribution \(\chi _e\).
We recall that \(\chi _r\) has the form:
i.e., the first \(N_{\mathsf {dec} 1}\) integer coefficients of the concatenated coefficient vectors of the \(r_i\)’s are sampled from \(\mathsf {ZeIntU} (B_1)\) and the remaining \(N_{\mathsf {dec} } - N_{\mathsf {dec} 1}\) coefficients sampled from \(\mathsf {ZeIntU} (B_2)\). Also, \(\chi _e\) samples each integer coefficient of \((e_1,\ldots ,e_t)\) from the \(\mathsf {BinDiff} (\eta )\) distribution. For \(i=1,2\), let us define the distributions \(\chi _i\) over \({\mathbb {Z}}\) as the distribution of the product (over \({\mathbb {Z}}\)) of a sample from \(\mathsf {ZeIntU} (B_i)\) and an independent sample from \(\mathsf {BinDiff} (\eta )\). Let us define \(\bar{r_i}\) as \(\mathsf {Rev} (r_i)\). Then we observe that for each \(1\le i\le t\), each coefficient of \(\bar{r_i} \odot _{_d} e_i\) is an inner product between a row of \(\mathsf {Toep}^{d,k}(\bar{r_i})\) and the coefficient vector \(\mathbf{e}_i\) of \(e_i\). Therefore, by the independence of the \(r_i\) and \(e_i\) coefficients, the distribution of each coefficient of \(\sum ^t_{i=1} \bar{r_i} \odot _{_d} e_i\) is the distribution of a sum \(\sum _{i=1}^{N_{\mathsf {dec} }}x_i\) of independent random variables \(x_i\), where \(x_i\) is sampled from the distribution \(\chi _i\) with
The probability of error \(\bar{p_e}\) for any fixed coordinate of the message can therefore be upper bounded as follows:
with \(x_i\) distributed as in (35). Since the \(x_i\)’s are independent with \({\mathbb {E}}[x_i]=0\) for \(1\le i\le N_{\mathsf {dec} }\), we have
where (37) is true because the mapping \(x\mapsto \exp (s\cdot x)\) is monotonically increasing, (38) is obtained using Markov inequality [8], and (39) is valid due to the fact that \(x_i\)’s are independent of each other. Let us further define
for \(j\in \{1,2\}\). Therefore, (39) can be re-written as:
In order to minimize \(\bar{p_e}\), one needs to find s that minimizes (40). Letting
one can differentiate f to find the critical point \(s^*\), such that \(f(s^*)=0\) minimizing the right hand side of (40). The well-known bi-section method is now used to numerically evaluate \(s^*\) and hence \(\bar{p_e}^{\small {\mathsf {Hoeffding} }}\) such that \(\bar{p_e}\le \bar{p_e}^{\small {\mathsf {Hoeffding} }}\). The above analysis and a union bound over the d coordinates of \(\sum ^t_{i=1} \bar{r_i} \odot _{_d} e_i\) ensures that our \(\mathsf {Titanium\text{- }CPA}\) is \(p_e^{\small {\mathsf {Hoeffding} }} \le d \cdot \bar{p_e}^{\small {\mathsf {Hoeffding} }}\)-correct.
Instead of the above Hoeffding approach, one could use CLT heuristic analysis to upper bound (36). In particular, by the independence of the \(x_i\)’s, we can approximate the distribution of \(\sum _{i=1}^{N_{\mathsf {dec} }}x_i\) by a Gaussian distribution with mean \(\mu \) and standard deviation \(\sigma \) that we can explicitly compute and then use standard Gaussian tail bounds to bound \(p_e\). To be more precise, a straightforward computation using the independence of the \(x_i\), and that the standard deviation of \(\chi _e\) is \(\sqrt{2\eta /4}=\sqrt{\eta /2}\) shows that the standard deviation of \(\sum _{i=1}^{N_{\mathsf {dec} }}x_i\) is given by
where
and
Using a standard Gaussian tail bound along with union bound over the d coordinates as above, one gets
where
Furthermore, using union bound one can calculate \(z_{\small \mathsf {Hoeffding} }\) such that the calculated \(p_e^{\small {\mathsf {Hoeffding} }}\) satisfies the following inequality
In Tables 9 and 10, we compare our derived \(z_{\small \mathsf {Hoeffding} }\) in (44) with that of \(z_{\small \mathsf {clt} }\) in (43) for our different parameter sets. The results suggest that our provable Hoeffding bounds on the decryption error probability are close optimal, as they are not much higher than the bounds obtained from the CLT heuristic.
1.1 Appendix A.1: Concrete correctness condition of \(\mathsf {Titanium\text{- }CCA}\)
We similarly define the following correctness for \(\mathsf {Titanium\text{- }CCA}\)
Definition 7
Our \(\mathsf {Titanium\text{- }CCA}\) scheme is called \(\delta \)-correct if
As we follow the KEM construction given in [20], the following result is outstanding.
Lemma 6
If \(\mathsf {Titanium\text{- }CPA}\) is \(\delta \)-correct and \(\mathsf {G} \) and \(\mathsf {H} \) are random oracles, then our \(\mathsf {Titanium\text{- }CCA}\) is \(\delta \)-correct.
Appendix B: \(\mathsf {Titanium\text{- }CCA}\) algorithms
We use hash functions for our \(\mathsf {Titanium\text{- }CCA}\). Cryptographic Hash functions \(\mathsf {G} \) and \(\mathsf {H} \) are modelled as a ‘random oracle’ in the security analysis, and are instantiated using the \(\mathsf {SHAKE256} \) mode in [28].
Appendix C: Leftover hash lemma and Proof of Theorem 3
We use the following variant of the LHL [14].
Lemma 7
Let X, Y, Z denote finite sets. Let \({\mathcal {H}}\) be a universal family of hash functions \(h : X \rightarrow Y\). Let \(f: X \rightarrow Z\) be arbitrary. Then for any random variable T taking values in X, we have:
where \(\gamma (T) = \max _{t \in X}\Pr [T=t]\).
We will apply the LHL to the following universal hash family that arises in our construction.
Lemma 8
(Adapted from [33]) Let \(q, k, d \ge 2\), q prime, and \(\mathsf {Supp} _r \subseteq {\mathbb {Z}}^{<k+1}_q[x]\). For \((b_i)_i \in ({\mathbb {Z}}_q^{<d+k}[x])^t\), we let \(h_{(b_i)_i}\) denote the map that sends \((r_i)_{i \le t} \in (\mathsf {Supp} _r)^t\) to \(\sum _{i \le t} r_i \odot _{_d} b_i \in {\mathbb {Z}}_q^{<d}[x]\). Then the hash function family \((h_{(b_i)_i})_{(b_i)_i}\) is universal.
Proof
Our aim is to show that for \(r_1,\ldots ,r_t\) not all 0 in \(\mathsf {Supp} _r\), we have
W.l.o.g. we may assume that \(r_1 \ne 0\). By linearity, it suffices to prove that for all \(y \in {\mathbb {Z}}_q^{<d}[x]\),
Let j be minimal such that the coefficient in \(x^j\) of \(r_1\) is non-zero and hence co-prime to q. Then the equation \(r_1 \odot _{_d} b_1 = y\) restricted to entries \(j+1\) to \(j+d\) is a triangular linear system in the coefficients of \(b_1\) with diagonal coefficients invertible mod q. The map \(b_1 \mapsto r_1 \odot _{_d} b_1\) restricted to these coefficients of \(b_1\) is hence a bijection. This gives the equality above. \(\square \)
1.1 Appendix C.1: Proof of Theorem 3
Proof
We summarize the modifications of the argument in [33] and the concrete reduction cost. The proof consists in three games (let \(p_i\) be the attacker \(\mathsf {A} \)’s success probability in \(\mathsf {Game} _i\)).
-
\(\mathsf {Game} _0:\) The original \(\mathsf {IND} \text{- }\mathsf {CPA} \) game.
-
\(\mathsf {Game} _1:\) Instead of generating \(\mathsf {pk}=({\bar{a}}_i,b_i)_{i \le t}\) with \(b_i = a_i \ \odot _{_{d+k}} s + e_i \in {\mathbb {Z}}_q^{<d+k}[x]\) using \(\mathsf {Titanium\text{- }CPA}.\mathsf {KeyGen} \), where we define \(a_i = \mathsf {Rev} ({\bar{a}}_i)\) for \(i=1,\ldots ,t\), the challenger sets \(b_i \hookleftarrow U({\mathbb {Z}}_q^{<d+k}[x])\) independently of \(a_i\).
We can construct a distinguishing attacker against \(\mathsf {MP} \text{- }\mathsf {LWE} _{q,n,d+k,D_{\alpha q}}\) given t samples, that has run-time \(T_{\mathsf {MP} \text{- }\mathsf {LWE} } = T+O(t \cdot (n+d+k) \cdot \log q)\) and distinguishing advantage \(\varepsilon _{\mathsf {MP} \text{- }\mathsf {LWE} } = |p_1 - p_0|\). Given t\(\mathsf {MP} \text{- }\mathsf {LWE} \) samples \((a'_i, b'_i)_{ i \le t}\), the \(\mathsf {MP} \text{- }\mathsf {LWE} \) attacker computes \({\bar{a}}_i = \mathsf {Rev} (a'_i)\) and \(b_i = b'_i\) for \(i=1,\ldots ,t\), and sets \(\mathsf {pk}=({\bar{a}}_i,b_i)_{i \le t}\) as the public key. If \((a'_i,b'_i)\) have the \(\mathsf {MP} \) distribution (resp. uniform distribution), then \(({\bar{a}}_i,b_i)_{i \le t}\) have the correct public key distribution as in \(\mathsf {Game} _0\) (resp. \(\mathsf {Game} _1\)), using the fact that \(\mathsf {Rev} \) is an injective mapping on \({\mathbb {Z}}_q^{<n}[x]\).
-
\(\mathsf {Game} _2:\) Instead of generating the second challenge ciphertext component \(c_2\) as \(c'_2 = \sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} b_i + \lfloor q/p \rfloor \cdot m \in {\mathbb {Z}}_q^{<d}[x]\), the challenger sets \(c_2 \hookleftarrow U({\mathbb {Z}}_q^{<d}[x])\), but leaves \(c_1 = \sum _{i\le t} r_i \cdot a_i\) as before. By the LHL 7 with \(\gamma (T) = B_1^{N_{\mathsf {dec1} }} \cdot B_2^{N_{\mathsf {dec} }-N_{\mathsf {dec1} }}\) the (exponential of) the inverse min-entropy of the input \((\mathsf {Rev} (r_1),\ldots ,\mathsf {Rev} (r_t))\) to the universal hash family in Lemma 8, \(|Y|=q^d\) the hash output space size, and \(|Z| = q^{n+k}\) the size of the leakage space due to \(c_1\), the statistical distance between the distributions of the challenge ciphertext in \(\mathsf {Game} _2\) and \(\mathsf {Game} _1\) is at most \(\varDelta _{\mathsf {LHL} }\) if the condition
$$\begin{aligned} \frac{1}{2} \cdot \sqrt{B_1^{-N_{\mathsf {dec1} }} \cdot B_2^{-(N_{\mathsf {dec} }-N_{\mathsf {dec1} })} q^{n+d+k}} \le \varDelta _{\mathsf {LHL} } \end{aligned}$$(45)holds, which is equivalent to (26), using the definitions \(N_{\mathsf {dec} } {\mathop {=}\limits ^{\mathrm {def}}}(k+1) \cdot t\), \(B_1=2^{b_1+1}\) and \(B_2=2^{b_2+1}\).
In the last game, the attacker’s view is independent of the encrypted challenge message, so \(p_2=1/2\). It follows that \(|p_0-p_2| = |p_0-1/2| = \varepsilon /2 \le |p_1-p_0| + |p_2-p_1| \le \varepsilon _{\mathsf {MP} \text{- }\mathsf {LWE} } + \varDelta _{\mathsf {LHL} }\), which gives (30). \(\square \)
Rights and permissions
About this article
Cite this article
Steinfeld, R., Sakzad, A. & Zhao, R.K. Practical \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based encryption balancing security-risk versus efficiency. Des. Codes Cryptogr. 87, 2847–2884 (2019). https://doi.org/10.1007/s10623-019-00654-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-019-00654-5
Keywords
- Middle-product learning with errors (\(\mathsf {MP} \text{- }\mathsf {LWE} \))
- Lattice-based cryptography
- Quantum-resistant cryptography
- Public-key encryption
- KEM
- Cryptography implementation