2018
DOI: 10.1007/978-3-030-03326-2_17
|View full text |Cite
|
Sign up to set email alerts
|

LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS

Abstract: This paper is devoted to analyzing the variant of Regev's learning with errors (LWE) problem in which modular reduction is omitted: namely, the problem (ILWE) of recovering a vector s ∈ Z n given polynomially many samples of the form (a, a, s + e) ∈ Z n+1 where a and e follow fixed distributions. Unsurprisingly, this problem is much easier than LWE: under mild conditions on the distributions, we show that the problem can be solved efficiently as long as the variance of e is not superpolynomially larger than th… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

2
14
0

Year Published

2018
2018
2021
2021

Publication Types

Select...
5
3

Relationship

3
5

Authors

Journals

citations
Cited by 33 publications
(20 citation statements)
references
References 42 publications
2
14
0
Order By: Relevance
“…As a result we were able to recover the expected number of most significant key bits. The detected peak sizes matched the estimate |B q (K)| 16 with a small relative error of order 2 −5 , and the largest noise floors were about 5 times the estimated average (i.e., 5/ √ 2 m 2 ) in both experiments. Once the top ℓ ′ MSBs of sk have been found, recovering the remaining bits is fairly straightforward in Bleichenbacher's framework; one could just "re-inject" the known part of the secret to the HNP samples as k…”
Section: Attack Experimentssupporting
confidence: 67%
See 1 more Smart Citation
“…As a result we were able to recover the expected number of most significant key bits. The detected peak sizes matched the estimate |B q (K)| 16 with a small relative error of order 2 −5 , and the largest noise floors were about 5 times the estimated average (i.e., 5/ √ 2 m 2 ) in both experiments. Once the top ℓ ′ MSBs of sk have been found, recovering the remaining bits is fairly straightforward in Bleichenbacher's framework; one could just "re-inject" the known part of the secret to the HNP samples as k…”
Section: Attack Experimentssupporting
confidence: 67%
“…In this appendix, we rely on standard results on subgaussian random variables as introduced for example in [16]. In particular, we use the following result.…”
Section: Estimating the Height Of The Noise Floormentioning
confidence: 99%
“…Both of these attacks targeted the Bernoulli and CDT sampling. An extension to this work was presented by Bootle et al [6] which manages to recover 100% of the secret key compared to only 7% in the previous work [17]. Another side-channel attack by Ravi et al [37] achieving existential forgery targeted Dilithium, a lattice-based signature scheme.…”
Section: Introductionmentioning
confidence: 94%
“…It is observed that the number of bit flips increase with the number of hammers. To find the susceptible memory locations in the pre-processing phase we set a value for number of hammers as 10 6 . The other observation is that there is not much difference between the number of 1 − → 0 flips and 0 − → 1 flips.…”
Section: Pre-processing Phase (Templating)mentioning
confidence: 99%
“…From the point of view of practical security and side-channel attacks, Gaussian samplers have been known to be a potential weak point (e.g., with respect to timing attacks [9,21,57]). However, the one used in Falcon was provided with a fully constant-time implementation with only minor losses in efficiency [47].…”
Section: Introductionmentioning
confidence: 99%