Middle-Product Learning with Errors

Roşca, Miruna; Sakzad, Amin; Stehlé, Damien; Steinfeld, Ron

doi:10.1007/978-3-319-63697-9_10

Cited by 33 publications

(47 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since quadratic time verification was not feasible, we decided to develop a fast approach. Note that our algorithm might also be of interest for the recent Middle-Product Learning With Error problem [13].…”

Section: Introductionmentioning

confidence: 99%

A probabilistic algorithm for verifying polynomial middle product in linear time

Giorgi

2018

Information Processing Letters

View full text Add to dashboard Cite

Polynomial multiplication and its variants are a key ingredient in effective computer algebra. While verifying a polynomial product is a well known task, it was not yet clear how to do a similar approach for its middle product variant. In this short note, we present a new algorithm that provides such a verification with the same complexity and probability that for the classical polynomial multiplication. Furthermore, we extend our algorithm to verify any operations that compute only a certain chunk of the product, which is the case for instance of the well known short product operation.

show abstract

Section: Introductionmentioning

confidence: 99%

A probabilistic algorithm for verifying polynomial middle product in linear time

Giorgi

2018

Information Processing Letters

View full text Add to dashboard Cite

show abstract

“…Motivated by the question of how to choose a good polynomial, Lyubashevsky introduces the so-called R <n -SIS problem [Lyu16], a variant of the Short Integer Solution (SIS) problem, whose hardness does not depend only on a single polynomial, but on a set of polynomials. Inspired by this, Roşca et al [RSSS17] propose its LWE counterpart: the Middle-Product Learning With Errors (MP-LWE) problem. The MP-LWE problem is defined as follows: Taking two polynomials a and s over Z q of degrees less than n and n + d − 1, respectively, the middleproduct a d s is the polynomial of degree less than d given by the middle d coefficients of a • s. In other words, a d s = (a • s mod x n+d−1 )/x n−1 , where the floor rounding • denotes deleting all those terms with negative exponents on x.…”

Section: Introductionmentioning

confidence: 99%

“…For integers d, n and q with q ≥ 2 and 0 < d ≤ n as parameters, an MP-LWE sample is given by (a, b = a d s + e mod q), where s is a fixed element of Z <n+d−1 q [x], a is sampled from the uniform distribution over Z <n q [x] and e is sampled from a probability distribution χ over R <d [x]. As for the hardness of MP-LWE, Roşca et al [RSSS17] establish a reduction from the P-LWE problem parametrized by a polynomial f to the MP-LWE problem defined independently of any such f . Thus, as long as the P-LWE problem defined over some f (belonging to a huge family of polynomials) is hard, the MP-LWE problem is also guaranteed to be hard.…”

Section: Introductionmentioning

confidence: 99%

“…Thus, as long as the P-LWE problem defined over some f (belonging to a huge family of polynomials) is hard, the MP-LWE problem is also guaranteed to be hard. As a cryptographic application, Roşca et al [RSSS17] propose a public-key encryption (PKE) scheme that is IND-CPA secure under the MP-LWE hardness assumption, with keys of sizeÕ(λ) and running timeÕ(λ), where λ is the security parameter.…”

Section: Introductionmentioning

confidence: 99%

“…As a typical application, we propose a PKE scheme based on this MP-CLWR assumption which is IND-CPA secure in the random oracle model (Section 5). The attractiveness of our encryption scheme stems from the fact that we only have to round the middle-product of two polynomials instead of sampling Gaussian error during public key generation while guaranteeing the same security and having the same asymptotic key and ciphertext sizes as [RSSS17] (Section 6). Furthermore, we provide at the end of Section 6 a study of the concrete security of our scheme by looking at the currently best known attacks against it.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Middle-Product Learning with Rounding Problem and Its Applications

Bai

Boudgoust

Das

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

At CRYPTO 2017, Roşca et al. introduce a new variant of the Learning With Errors (LWE) problem, called the Middle-Product LWE (MP-LWE). The hardness of this new assumption is based on the hardness of the Polynomial LWE (P-LWE) problem parameterized by a set of polynomials, making it more secure against the possible weakness of a single defining polynomial. As a cryptographic application, they also provide an encryption scheme based on the MP-LWE problem. In this paper, we propose a deterministic variant of their encryption scheme, which does not need Gaussian sampling and is thus simpler than the original one. Still, it has the same quasi-optimal asymptotic key and ciphertext sizes. The main ingredient for this purpose is the Learning With Rounding (LWR) problem which has already been used to derandomize LWE type encryption. The hardness of our scheme is based on a new assumption called Middle-Product Computational Learning With Rounding, an adaption of the computational LWR problem over rings, introduced by Chen et al. at ASIACRYPT 2018. We prove that this new assumption is as hard as the decisional version of MP-LWE and thus benefits from worst-case to average-case hardness guarantees.

show abstract

Digital Signatures from the Middle-Product LWE

Hiromasa

2018

Provable Security

View full text Add to dashboard Cite

Middle-Product Learning with Errors

Cited by 33 publications

References 24 publications

A probabilistic algorithm for verifying polynomial middle product in linear time

A probabilistic algorithm for verifying polynomial middle product in linear time

Middle-Product Learning with Rounding Problem and Its Applications

Digital Signatures from the Middle-Product LWE

Contact Info

Product

Resources

About