We conduct a theoretical and practical comparison of two Ring-LWE-based, scale-invariant, leveled homomorphic encryption schemes – Fan and Vercauteren’s adaptation of BGV and the YASHE scheme proposed by Bos, Lauter, Loftus and Naehrig. In particular, we explain how to choose parameters to ensure correctness and security against lattice attacks. Our parameter selection improves the approach of ...

We provide a reduction of the Ring-LWE problem to problems in subrings, presence samples restricted form (i.e., $(a,b)$ such that $a$ is multiplicative coset subring). To create and exploit samples, we propose Ring-BKW, version Blum--Kalai--Wasserman (BKW) algorithm which respects ring structure. Off-the-shelf BKW dimension (including coded-BKW sieving) can be used for phase. Its primary advant...

We explore further the hardness of the non-dual discrete variant of the Ring-LWE problem for various number rings, give improved attacks for certain rings satisfying some additional assumptions, construct a new family of vulnerable Galois number fields, and apply some number theoretic results on Gauss sums to deduce the likely failure of these attacks for 2-power cyclotomic rings and unramified...

<p style='text-indent:20px;'>A seminal 2013 paper by Lyubashevsky, Peikert, and Regev proposed basing post-quantum cryptography on ideal lattices supported this proposal giving a polynomial-time security reduction from the approximate Shortest Independent Vectors Problem (SIVP) to Decision Learning With Errors (DLWE) problem in lattices. We give concrete analysis of multi-step reduction. ...

In this paper, we revisit fully homomorphic encryption (FHE) based on GSW and its ring variants. We notice that the internal product of GSW can be replaced by a simpler external product between a GSW and an LWE ciphertext. We show that the bootstrapping scheme FHEW of Ducas and Micciancio [14] can be expressed only in terms of this external product. As a result, we obtain a speed up from less t...

The Learning with Rounding (LWR) problem was first introduced by Banerjee, Peikert, and Rosen (Eurocrypt 2012) as a derandomized form of the standard Learning with Errors (LWE) problem. The original motivation of LWR was as a building block for constructing efficient, low-depth pseudorandom functions on lattices. It has since been used to construct reusable computational extractors, lossy trapd...

We consider the leakage resilience of the Ring-LWE analogue of the Dual-Regev encryption scheme (R-Dual-Regev for short), originally presented by Lyubashevsky et al. (Eurocrypt ’13). Specifically, we would like to determine whether the R-Dual-Regev encryption scheme remains IND-CPA secure, even in the case where an attacker leaks information about the secret key. We consider the setting where R...