We present TESLA] (pronounced “Tesla Sharp”), a digital signature scheme based on the R-LWE assumption that continues a recent line of proposals of lattice-based digital signature schemes originating in work by Lyubashevsky as well as by Bai and Galbraith. It improves upon all of its predecessors in that it attains much faster key pair generation, signing, and verification, outperforming most (...

In this paper we propose an efficient and compact processor for a ring-LWE based encryption scheme. We present three optimizations for the Number Theoretic Transform (NTT) used for polynomial multiplication: we avoid preprocessing in the negative wrapped convolution by merging it with the main algorithm, we reduce the fixed computation cost of the twiddle factors and propose an advanced memory ...

The learning with errors (LWE) problem is to efficiently distinguish vectors created from a ‘noisy’ set of linear equations between uniformly random vectors. Given a matrix A ∈ Zm×n q and a vector v ∈ Zq , the goal is to determine whether v has been sampled uniformly at random from Zq or whether v = As+ e for some random s ∈ Zq and e ∈ χm, where χ is a small ‘noise’ distribution over Zq. Observ...

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus q and degree n number field K, generating ring-LWE samples can be perceiv...

We provide a tight security proof for an IND-CCA RingLWE based Key Encapsulation Mechanism that is derived from a generic construction of Dent (IMA Cryptography and Coding, 2003). Such a tight reduction is not known for the generic construction. The resulting scheme has shorter ciphertexts than can be achieved with other generic constructions of Dent or by using the well-known Fujisaki-Okamoto ...

Evaluating the practical security of Ring-LWE based cryptography has attracted lots of efforts recently. Indeed, some differences from the standard LWE problem enable new attacks. In this paper we discuss the security of Ring-LWE as found in Fully Homomorphic Encryption (FHE) schemes. These schemes require parameters of very special shapes, that an attacker might use to its advantage. First we ...

Informally, a public-key encryption scheme is k-circular secure if a cycle of k encrypted secret keys (Encpk1(sk2),Encpk2(sk3), . . . ,Encpkk(sk1)) is indistinguishable from encryptions of zeros. Circular security has applications in a wide variety of settings, ranging from security of symbolic protocols to fully homomorphic encryption. A fundamental question is whether standard security notion...

The learning with errors over rings (Ring-LWE) problem—or more accurately, family of problems— has emerged as a promising foundation for cryptography due to its practical efficiency, conjectured quantum resistance, and provable worst-case hardness: breaking certain instantiations of Ring-LWE is at least as hard as quantumly approximating the Shortest Vector Problem on any ideal lattice in the r...

The Ring-LWE problem, introduced by Lyubashevsky, Peikert, and Regev (Eurocrypt 2010), has been steadily finding many uses in numerous cryptographic applications. Still, the Ring-LWE problem defined in [LPR10] involves the fractional ideal R∨, the dual of the ring R, which is the source of many theoretical and implementation technicalities. Until now, getting rid of R∨, required some relatively...