Provably weak instances of Ring-LWE revisited Wouter Castryck1,2 , Ilia Iliashenko1 , Frederik Vercauteren1,3 1 COSIC, KU Leuven Ghent University Open Security Research 2 3 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 1/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, I claim to have indeed found vulnerable instances. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, I claim to have indeed found vulnerable instances. I Vulnerable meaning: leak partial information about the secret with non-negligible probability. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, I claim to have indeed found vulnerable instances. I Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, I they did not set up Ring-LWE as described in [LPR]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, I claim to have indeed found vulnerable instances. I Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, I they did not set up Ring-LWE as described in [LPR]. I Their instantiation generates many noise-free equations EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, I claim to have indeed found vulnerable instances. I Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, I they did not set up Ring-LWE as described in [LPR]. I Their instantiation generates many noise-free equations I allowing to recover the entire secret with near certainty. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors I investigate if evaluation-at-1-attacks apply to Ring-LWE, I claim to have indeed found vulnerable instances. I Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, I they did not set up Ring-LWE as described in [LPR]. I Their instantiation generates many noise-free equations I allowing to recover the entire secret with near certainty. Currently no threat to Ring-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/15 1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b0 a10 a11 . . . a1,n−1 s0 b1 a20 a21 . . . a2,n−1 s1 .. ≈ .. .. .. · .. . . . . . . . . bn−1 am0 am1 . . . am,n−1 sn−1 over a finite field Fp for a secret (s0 , s1 , . . . , sn−1 ) ∈ Fnp where EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/15 1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b0 a10 a11 . . . a1,n−1 s0 b1 a20 a21 . . . a2,n−1 s1 .. ≈ .. .. .. · .. . . . . . . . . bn−1 am0 am1 . . . am,n−1 sn−1 over a finite field Fp for a secret (s0 , s1 , . . . , sn−1 ) ∈ Fnp where I each equation is perturbed by a “small” error, i.e. bi = ai0 s0 + ai1 s1 + · · · + ai,n−1 sn−1 + ei , EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/15 1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b0 a10 a11 . . . a1,n−1 s0 b1 a20 a21 . . . a2,n−1 s1 .. ≈ .. .. .. · .. . . . . . . . . bn−1 am0 am1 . . . am,n−1 sn−1 over a finite field Fp for a secret (s0 , s1 , . . . , sn−1 ) ∈ Fnp where I each equation is perturbed by a “small” error, i.e. bi = ai0 s0 + ai1 s1 + · · · + ai,n−1 sn−1 + ei , I the aij ∈ Fp are chosen uniformly randomly, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/15 1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b0 a10 a11 . . . a1,n−1 s0 b1 a20 a21 . . . a2,n−1 s1 .. ≈ .. .. .. · .. . . . . . . . . bn−1 am0 am1 . . . am,n−1 sn−1 over a finite field Fp for a secret (s0 , s1 , . . . , sn−1 ) ∈ Fnp where I each equation is perturbed by a “small” error, i.e. bi = ai0 s0 + ai1 s1 + · · · + ai,n−1 sn−1 + ei , I the aij ∈ Fp are chosen uniformly randomly, I an adversary can ask for new equations (m > n). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/15 1. Learning With Errors (LWE) The LWE problem (O. Regev, ‘05): solve a linear system b0 a10 a11 . . . a1,n−1 s0 e0 b1 a20 a21 . . . a2,n−1 s1 e1 .. = .. .. .. · .. + .. . . . . . . . . . bn−1 am0 am1 . . . am,n−1 sn−1 en−1 over a finite field Fp for a secret (s0 , s1 , . . . , sn−1 ) ∈ Fnp where I each equation is perturbed by a “small” error, i.e. bi = ai0 s0 + ai1 s1 + · · · + ai,n−1 sn−1 + ei , I the aij ∈ Fp are chosen uniformly randomly, I an adversary can ask for new equations (m > n). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/15 1. Learning With Errors (LWE) Features: I hardness reduction from classical lattice problems, I versatile building block for cryptography, enabling exciting applications (FHE, PQ crypto, . . . ) EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 4/15 1. Learning With Errors (LWE) Features: I hardness reduction from classical lattice problems, I versatile building block for cryptography, enabling exciting applications (FHE, PQ crypto, . . . ) Drawback: key size. I To hide the secret one needs an entire linear system: b0 a10 a11 . . . a1,n−1 s0 b1 a20 a21 . . . a2,n−1 s1 .. ≈ .. .. .. · .. . .. . . . . . . bn−1 ↑ n log p am0 am1 . . . am,n−1 ↑ mn log p EUROCRYPT, May 9, 2016 sn−1 ↑ n log p Provably weak instances of Ring-LWE revisited 4/15 2. Ring-based LWE Solution: I Identify key space Fnp Z[x] (p, f (x)) with for some monic deg n polynomial f (x) ∈ Z[x], by viewing (s0 , s1 , . . . , sn−1 ) as s0 + s1 x + s2 x 2 + · · · + sn−1 x n−1 . EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5/15 2. Ring-based LWE Solution: I Identify key space Fnp Z[x] (p, f (x)) with for some monic deg n polynomial f (x) ∈ Z[x], by viewing (s0 , s1 , . . . , sn−1 ) I as s0 + s1 x + s2 x 2 + · · · + sn−1 x n−1 . Use samples of the form b0 s0 b1 s1 .. ≈ Aa · .. . . bn−1 sn−1 EUROCRYPT, May 9, 2016 with Aa the matrix of multiplication by some random a(x) = a0 + a1 x + · · · + an−1 x n−1 . Provably weak instances of Ring-LWE revisited 5/15 2. Ring-based LWE Solution: I Identify key space Fnp Z[x] (p, f (x)) with for some monic deg n polynomial f (x) ∈ Z[x], by viewing (s0 , s1 , . . . , sn−1 ) I s0 + s1 x + s2 x 2 + · · · + sn−1 x n−1 . Use samples of the form b0 s0 b1 s1 .. ≈ Aa · .. . . bn−1 I as sn−1 with Aa the matrix of multiplication by some random a(x) = a0 + a1 x + · · · + an−1 x n−1 . Store a(x) rather than Aa : saves factor n. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5/15 2. Ring-based LWE Example: I if f (x) = x n − 1, then Aa is the circulant matrix a0 an−1 . . . a2 a1 a1 a0 . . . a3 a2 a2 a1 . . . a4 a3 .. .. .. .. . . . . . . . an−1 an−2 . . . a1 a0 of which it suffices to store the first column. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 6/15 2. Ring-based LWE Example: I if f (x) = x n − 1, then Aa is the circulant matrix a0 an−1 . . . a2 a1 a1 a0 . . . a3 a2 a2 a1 . . . a4 a3 .. .. .. .. . . . . . . . an−1 an−2 . . . a1 a0 of which it suffices to store the first column. I Bad example, because of . . . EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 6/15 3. Evaluation-at-1 attack Potential threat: I Suppose f (1) ≡ 0 mod p, then Z[x] → Fp : r(x) 7→ r(1) = r0 + r1 + · · · + rn−1 , (p, f (x)) is a well-defined ring homomorphism. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/15 3. Evaluation-at-1 attack Potential threat: I Suppose f (1) ≡ 0 mod p, then Z[x] → Fp : r(x) 7→ r(1) = r0 + r1 + · · · + rn−1 , (p, f (x)) is a well-defined ring homomorphism. I Our ring-based LWE samples b(x) = a(x) · s(x) + e(x) evaluate to b(1) = a(1) · s(1) + e(1). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/15 3. Evaluation-at-1 attack Potential threat: I Suppose f (1) ≡ 0 mod p, then Z[x] → Fp : r(x) 7→ r(1) = r0 + r1 + · · · + rn−1 , (p, f (x)) is a well-defined ring homomorphism. I Our ring-based LWE samples b(x) = a(x) · s(x) + e(x) evaluate to b(1) = a(1) · s(1) + e(1). I For each guess for s(1) ∈ Fp , analyze distribution of e(1). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/15 3. Evaluation-at-1 attack Potential threat: I Suppose f (1) ≡ 0 mod p, then Z[x] → Fp : r(x) 7→ r(1) = r0 + r1 + · · · + rn−1 , (p, f (x)) is a well-defined ring homomorphism. I Our ring-based LWE samples b(x) = a(x) · s(x) + e(x) evaluate to b(1) = a(1) · s(1) + e(1). I For each guess for s(1) ∈ Fp , analyze distribution of e(1). I Non-uniformity might reveal s(1), and maybe more . . . EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/15 3. Evaluation-at-1 attack Potential threat: I Suppose f (1) ≡ 0 mod p, then Z[x] → Fp : r(x) 7→ r(1) = r0 + r1 + · · · + rn−1 , (p, f (x)) is a well-defined ring homomorphism. I Our ring-based LWE samples b(x) = a(x) · s(x) + e(x) evaluate to b(1) = a(1) · s(1) + e(1). I For each guess for s(1) ∈ Fp , analyze distribution of e(1). I Non-uniformity might reveal s(1), and maybe more . . . Safety measure: restrict to irreducible f (x) ∈ Z[x]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/15 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 with the ei sampled independently from N(0, σ) for some fixed small σ = σ(n). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/15 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 with the ei sampled independently from N(0, σ) for some fixed small σ = σ(n). This is not Ring-LWE! EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/15 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 with the ei sampled independently from N(0, σ) for some fixed small σ = σ(n). This is not Ring-LWE! I Not backed up by hardness statement. I Evaluation-at-1 known to work in special cases [ELS]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/15 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 with the ei sampled independently from N(0, σ) for some fixed small σ = σ(n). This is not Ring-LWE! I Not backed up by hardness statement. I I Evaluation-at-1 known to work in special cases [ELS]. Sometimes called Poly-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/15 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like e0 s0 b0 e1 s1 b1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 EUROCRYPT, May 9, 2016 en−1 Provably weak instances of Ring-LWE revisited 9/15 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 where I B is the canonical embedding matrix, I Af 0 (x) compensates for the fact that one actually picks secrets from the dual. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/15 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 where I B is the canonical embedding matrix, I Af 0 (x) compensates for the fact that one actually picks secrets from the dual. Hardness reduction from ideal lattice problems. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/15 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 where I B is the canonical embedding matrix, I Af 0 (x) compensates for the fact that one actually picks secrets from the dual. Hardness reduction from ideal lattice problems. Note: I factor Af 0 (x) · B −1 might skew the error distribution, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/15 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b0 s0 e0 b1 s1 e1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 where I B is the canonical embedding matrix, I Af 0 (x) compensates for the fact that one actually picks secrets from the dual. Hardness reduction from ideal lattice problems. Note: I factor Af 0 (x) · B −1 might skew the error distribution, I but also scales it! EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/15 4. Ring-LWE . . . but also scales it! b0 s0 e0 s1 e1 b1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 Indeed, one has I det Af 0 (x) = ∆ with ∆ = |disc f (x)| , EUROCRYPT, May 9, 2016 ← could be huge Provably weak instances of Ring-LWE revisited 10/15 4. Ring-LWE . . . but also scales it! b0 s0 e0 s1 e1 b1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 Indeed, one has I I det Af 0 (x) = ∆ with det B −1 ∆ = |disc f (x)| , √ = 1/ ∆. EUROCRYPT, May 9, 2016 ← could be huge Provably weak instances of Ring-LWE revisited 10/15 4. Ring-LWE . . . but also scales it! b0 s0 e0 s1 e1 b1 .. = Aa · .. + Af 0 (x) · B −1 · .. . . . bn−1 sn−1 en−1 Indeed, one has I I det Af 0 (x) = ∆ with det B −1 ∆ = |disc f (x)| , √ = 1/ ∆. ← could be huge So “on average”, each ei is scaled up by I √ ∆ 1/n ... . . . but remember: skewness. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 10/15 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b0 s0 b1 s1 .. = Aa · .. + Af 0 (x) · B −1 · . . bn−1 sn−1 EUROCRYPT, May 9, 2016 e0 e1 .. . . en−1 Provably weak instances of Ring-LWE revisited 11/15 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b0 s0 b1 s1 .. = Aa · .. + Af 0 (x) · B −1 · . . bn−1 sn−1 e0 e1 .. . . en−1 Recall: I √ det B −1 = 1/ ∆, so the errors get squeezed. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 11/15 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b0 s0 b1 s1 .. = Aa · .. + Af 0 (x) · B −1 · . . bn−1 sn−1 e0 e1 .. . . en−1 Recall: I √ det B −1 = 1/ ∆, so the errors get squeezed. I To compensate, they scale up the errors by a factor EUROCRYPT, May 9, 2016 √ ∆ 1/n Provably weak instances of Ring-LWE revisited . 11/15 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b0 s0 b1 s1 √ 1/n .. = Aa · .. + ∆ B −1 · . . bn−1 sn−1 e0 e1 .. . . en−1 Recall: I √ det B −1 = 1/ ∆, so the errors get squeezed. I To compensate, they scale up the errors by a factor EUROCRYPT, May 9, 2016 √ ∆ 1/n Provably weak instances of Ring-LWE revisited . 11/15 5. Provably weak instances of Ring-LWE revisited Issue: I b0 b1 .. . s0 s1 .. . e0 e1 .. . √ 1/n . = Aa · + ∆ B −1 · en−1 bn−1 sn−1 The factor √ ∆ 1/n compensates for B −1 only “on average”. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 12/15 5. Provably weak instances of Ring-LWE revisited Issue: b0 b1 .. . s0 s1 .. . e0 e1 .. . √ 1/n . = Aa · + ∆ B −1 · en−1 bn−1 sn−1 √ 1/n compensates for B −1 only “on average”. I The factor I In some coordinates B −1 could scale down much more. ∆ Compensation factor is insufficient merely rounding yields exact equations in the secret! EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 12/15 5. Provably weak instances of Ring-LWE revisited All instances from [ELOS] suffer from this skewness. I Example: f (x) = x 256 + 8190, p = 8191. I Standard deviations even form a geometric series! Error distribution in each coordinate (experimental): 3σ ← note: f (1) ≡ 0 mod p 1,200 1,000 800 600 σ 400 200 µ 0 0 20 40 60 80 100 120 140 160 180 200 220 240 coordinate index EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 13/15 5. Provably weak instances of Ring-LWE revisited All instances from [ELOS] suffer from this skewness. I Example: f (x) = x 256 + 8190, p = 8191. I Standard deviations even form a geometric series! Error distribution in each coordinate (experimental): 3σ ← note: f (1) ≡ 0 mod p 6 4 1 2 σ 2 −→ µ 0 150 160 170 180 190 200 210 220 230 240 250 coordinate index EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 13/15 5. Provably weak instances of Ring-LWE revisited Evaluation-at-1 allowed [ELOS] to recover s(1), I using about 20 samples with a success rate of 20%. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 14/15 5. Provably weak instances of Ring-LWE revisited Evaluation-at-1 allowed [ELOS] to recover s(1), I using about 20 samples with a success rate of 20%. But after rounding, the last ≈ n/7 equations become exact, I so 7 or 8 samples suffice to recover s(x) exactly. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 14/15 5. Provably weak instances of Ring-LWE revisited Evaluation-at-1 allowed [ELOS] to recover s(1), I using about 20 samples with a success rate of 20%. But after rounding, the last ≈ n/7 equations become exact, I so 7 or 8 samples suffice to recover s(x) exactly. Similar remarks apply to the other instances from [ELOS]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 14/15 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/15 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: I Currently, evaluation-at-1 is not a threat to Ring-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/15 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: I Currently, evaluation-at-1 is not a threat to Ring-LWE. I Both B −1 and Af 0 (x) · B −1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/15 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: I Currently, evaluation-at-1 is not a threat to Ring-LWE. I Both B −1 and Af 0 (x) · B −1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. I To compensate for Af 0 (x) a factor ∆1/n makes more sense. Does scaling this way lead to a provably hard problem? EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/15 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: I Currently, evaluation-at-1 is not a threat to Ring-LWE. I Both B −1 and Af 0 (x) · B −1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. I To compensate for Af 0 (x) a factor ∆1/n makes more sense. Does scaling this way lead to a provably hard problem? I If one does scale the [ELOS] examples sufficiently, then the error coordinates of low index become uniform. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/15 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: I Currently, evaluation-at-1 is not a threat to Ring-LWE. I Both B −1 and Af 0 (x) · B −1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. I To compensate for Af 0 (x) a factor ∆1/n makes more sense. Does scaling this way lead to a provably hard problem? I If one does scale the [ELOS] examples sufficiently, then the error coordinates of low index become uniform. I The cyclotomic case seems naturally protected against geometric growth. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/15
© Copyright 2026 Paperzz