Partial Key Exposure in Ring-LWE-Based Cryptosystems: Attacks and Resilience

We initiate the study of partial key exposure in ring-LWE-based cryptosystems. Specifically, we - Introduce the search and decision Leaky-RLWE assumptions (Leaky-SRLWE, Leaky-DRLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret and/or error. - Present and implement an efficient key exposure attack that, given certain $1/4$-fraction of the coordinates of the NTT transform of the RLWE secret, along with RLWE instances, recovers the full RLWE secret for standard parameter settings. - Present a search-to-decision reduction for Leaky-RLWE for certain types of key exposure. - Analyze the security of NewHope key exchange under partial key exposure of $1/8$-fraction of the secrets and error. We show that, assuming that Leaky-DRLWE is hard for these parameters, the shared key $v$ (which is then hashed using a random oracle) is computationally indistinguishable from a random variable with average min-entropy $238$, conditioned on transcript and leakage, whereas without leakage the min-entropy is $256$

Finding Most Likely Solutions

As a framewrok for simple but basic statistical inference problems we introduce a genetic Most Likely Solution problem, a task of finding a most likely solution (MLS in short) for a given problem instance under some given probability model. Although many MLS problems are NP-hard, we propose, for these problems, to study their average-case complexity under their assumed probability models. We show three examples of MLS problems, and explain that “message passing algorithms” (e.g., belief propagation) work reasonably well for these problems. Some of the technical results of this paper are from the author’s recent work [WY06, OW06]

Finding Most Likely Solutions

As a framewrok for simple but basic statistical inferenceproblems we introduce a genetic Most Likely Solution problem, a taskof finding a most likely solution (MLS in short) for a given probleminstance under some given probability model. Although many MLSproblems are NP-hard, we propose, for these problems, to study theiraverage-case complexity under their assumed probability models. Weshow three examples of MLS problems, and explain that “message passingalgorithms” (e.g., belief propagation) work reasonably well for theseproblems. Some of the technical results of this paper are from the author’srecent work [WY06, OW06]