Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [lwe]

Learning with Errors is a form of lattice problem used in the design of cryptographic primitives. LWE is based on the Closest Vector Problem (CVP).

Learning with Errors is a form of lattice problem used in the design of cryptographic primitives. LWE asks one to solve the closest-vector problem (CVP). The CVP was shown to have a worst-case approximation to the average-case, indicating the difficulty for cryptanalysis of solving lattice problems based on the CVP. This security reduction makes LWE a strong candidate for post-quantum cryptographic schemes.

262 questions
62
votes
4 answers

Polynomial-time Quantum Algorithms for Lattice Problems

A new paper, by Yilei Chen, whose title is Quantum Algorithms for Lattice Problems (https://eprint.iacr.org/2024/555) appeared on eprint and it claims to solve hard lattice problems, such as the approximate (gap) shortest vector problem…
Hilder Vitor Lima Pereira
  • 7,476
  • 1
  • 25
  • 45
11
votes
2 answers

Why is Ring-LWE more efficient compared to LWE?

Can someone please tell me why is the Ring-LWE more efficient? By introducing polynomials in place of matrices, what kind of optimizations do we introduce that make Ring-LWE more efficient?
AdveRSAry
  • 634
  • 3
  • 14
11
votes
1 answer

Relationship between LWE, SIS, and ISIS

Suppose I have a short-secret LWE instance $As+e=b\mod q$. If I treat this as a single matrix, it becomes an ISIS problem: $$ \begin{pmatrix} I &A\end{pmatrix}\begin{pmatrix} e \\ s\end{pmatrix}=b\mod q$$ Any short solution to this problem solves my…
Sam Jaques
  • 1,808
  • 9
  • 13
10
votes
1 answer

Can lattice cryptography problems (ISIS, LWE, etc) be reduced to HSP?

I'm aware that RSA and ECC can be reduced to the Abelian Hidden Subgroup Problem (HSP), which is what makes them vulnerable to Shor's algorithm. I'm curious whether similar reductions exist for lattice-based cryptographic problems such as the…
beep
  • 201
  • 1
9
votes
0 answers

Does there exist trapdoor permutation from lattices?

It seems that the lattice functions are either surjective (SIS) or injective (LWE), due to the error that is basically intended to destroy the structure and provide security. I was wondering whether there exist bijective functions for lattice, more…
user4936
8
votes
2 answers

LWE: Round a continuous Gaussian to a true Discrete Gaussian

Short version: how is it possible to round a continuous Gaussian into a true discrete Gaussian (usually denoted $\mathcal{D}_{\mathbb{Z},\alpha q}$)? The goal is to obtain a reduction from continuous LWE to a true-discrete LWE and combine it with…
Léo Colisson
  • 1,551
  • 13
  • 14
8
votes
1 answer

NewHope and NIST's Post-quantum standardization

Where can I find NIST's reasoning to eliminate NewHope from the 3rd round of the post-quantum competition? I see all the lattice KEMs finalists are based on modules. Is being a ring-based KEM contributed to their elimination? In this case, is there…
Rick
  • 1,305
  • 8
  • 17
8
votes
1 answer

Are LPN and LWE problems equivalent?

Learning with Error (LWE) problem seems like a generalization of Learning Parity with Noise (LPN) problem, where in the latter one uses bits. But, this also makes LPN seem very related to the problem of decoding a random linear code. I was just…
user4936
8
votes
1 answer

LWE: error and float operations

Background I'm trying to make sense of the error in implementations of LWE and R-LWE. In LWE and R-LWE error is added to vectors in lattices to make it computationally infeasible to recover any meaningful data. It was said here that using float…
floor cat
  • 214
  • 2
  • 22
8
votes
1 answer

Number of LWE samples in NewHope

This is regarding the number post-quantum key exchange protocol New-Hope (https://eprint.iacr.org/2015/1092.pdf). In the paper, we can see that the number of samples generated by the protocol is $2n$ where $n$ is $1024$, the rank of matrix $a$. Once…
Rick
  • 1,305
  • 8
  • 17
7
votes
1 answer

Decision to Search LWE when modulus $q=p^e$

I am reading Applebaum et al.. In Lemma 1. (page 7), Applebaum et al. proved the decision to search reduction when the modulus $q=p^e$ for prime $p$. In the proof, they define the hybrid distribution $A^i_{\mathbf{s},\chi}$ and say "By a hybrid…
M.Z.
  • 165
  • 10
7
votes
1 answer

Is LPN not as important as LWE and SVP?

I've been learning about lattice cryptography and have noticed that most resources such as this survey by Chris Peikart, the Winter School on Lattice Cryptography etc don't include material on LPN, and typically only discuss SIS and LWE. According…
fraiser
  • 448
  • 3
  • 8
7
votes
1 answer

A RLWE promise problem

Let $(R , \chi$) be a standard RLWE problem instance. I.e. $R$ is a finite degree polynomial ring over a finite field and $\chi$ is some gaussian distribution over R with small variance. I wonder if the following promise problem is hard. Let…
user27950
7
votes
2 answers

Understand LWE(Learning With Error) negligible error probability

According to Regev's paper, p15 Correctness. Note that if not for the error in the LWE samples, $b-⟨a, s⟩$ would be either 0 or ⌊ q ⌋ depending on the encrypted bit, and decryption would always be correct. Hence we see that a decryption error…
xtt
  • 369
  • 2
  • 12
6
votes
0 answers

How did Kyber's authors compute the error probability $\delta$?

I'm studying the specification of Kyber that was submitted to NIST PQC Round 3. However, I cannot figure out how they compute the error probability $\delta$ for Kyber 512, 768 and 1024. I have read the Kyber paper (written with respect to round 1),…
Shara
  • 181
  • 2
1
2 3
17 18