Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [lwe]

Learning with Errors is a form of lattice problem used in the design of cryptographic primitives. LWE is based on the Closest Vector Problem (CVP).

Learning with Errors is a form of lattice problem used in the design of cryptographic primitives. LWE asks one to solve the closest-vector problem (CVP). The CVP was shown to have a worst-case approximation to the average-case, indicating the difficulty for cryptanalysis of solving lattice problems based on the CVP. This security reduction makes LWE a strong candidate for post-quantum cryptographic schemes.

213 questions
10
votes
2 answers

Why is Ring-LWE more efficient compared to LWE?

Can someone please tell me why is the Ring-LWE more efficient? By introducing polynomials in place of matrices, what kind of optimizations do we introduce that make Ring-LWE more efficient?
AdveRSAry
  • 624
  • 3
  • 14
7
votes
1 answer

A RLWE promise problem

Let $(R , \chi$) be a standard RLWE problem instance. I.e. $R$ is a finite degree polynomial ring over a finite field and $\chi$ is some gaussian distribution over R with small variance. I wonder if the following promise problem is hard. Let…
user27950
5
votes
0 answers

How can I geometrically understand LWE ciphertext and decryption step?

In the bottom of the wikipedia article of LWE (https://en.wikipedia.org/wiki/Learning_with_errors), we can see construction of Public-key cryptosystem based on the LWE. But, I cannot understand whole thing geometrically. From a $n$-dimensional…
mallea
  • 1,605
  • 1
  • 9
  • 21
4
votes
1 answer

Is there an adaptive version of LWE assumption with respect to some potentially non-uniform secret distribution?

There is a version of LWE assumption as follow. Assume that there is a positive number $n$, an integer $q = q(n) \geq 2$, an error distribution $\chi = \chi_{n}$, a vector $\mathrm{\mathbf{s}} \gets \mathbb{Z}_{q}^{n}$ and for every efficient…
Blanco
  • 1,622
  • 1
  • 10
  • 20
4
votes
2 answers

As a high level intuition, why is LWE without modular reduction easy to solve?

The LWE conjecture states that, given $A \in \mathbb{Z}_q^{m \times n}$ and $A x + e$ for $x \in \mathbb{Z}_q^n, e \in \mathbb{Z}_q^n$ it's difficult to recover $x$, given that $e$ is sampled from a distribution concentrated around $0$. This might…
marmistrz
  • 143
  • 3
3
votes
1 answer

Parameters for LWE

In the LWE problem there are two methods in order to choose secure parameters. The Lindner-Peikert and Micciancio-Regev method. The first method is an attack to BDD : find closest vector knowing the distance is bounded. The second method uses a…
111
  • 796
  • 7
  • 16
2
votes
1 answer

How to prove reduction from decision to seach LWE?

I am new to cryptography, and trying to understand the concepts of LWE (learning with errors) formally. I will state my understanding of the definitions, which might be incorrect. Definitions According to My Understanding Let $R$ be a finite unital…
zxcv
  • 155
  • 5
2
votes
0 answers

Security of LWE when a small leakage is allowed on the noise

Short version: Are there some results that are known on the security of the Learning With Error problem when there are some leakages, notably on the noise? (In my case these leakages come from a bit that is leaked after successful decryption.) More…
Léo Colisson
  • 1,176
  • 9
  • 12
2
votes
1 answer

Probability distribution function in Regev Cryptosystem

In Regev - On Lattices, Learning with Errors, Random Linear Codes, and Cryptography, chapter 5, Public Key Crypto System, it is stated that The probability distribution function $\chi$ is taken to be $\Psi_{\alpha(n)}$ ... we can choose…
BGR
  • 179
  • 5
2
votes
1 answer

Interpreting Figure 1 in the "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography"

I'm reading "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography" by O. Regev. I'm having trouble with understanding graphs in Figure 1. By the definition of $\overline{\psi}_{\alpha}$, its support is $[0,1)$. However, graphs in…
Jonghyun Kim
  • 477
  • 2
  • 8
2
votes
1 answer

Learning with Errors Naive Algorithm

In Regev's publication "The Learning with Errors Problem", a naive algorithm is given on page 3 that can be used to tackle the LWE problem. This is the statement: Another, even more naive algorithm is the following: keep asking for LWE samples until…
Zpeed78
  • 95
  • 4
1
vote
0 answers

Advantage of distinguishing LWE using short vector in dual lattice

In analyzing the advantage of distinguishing LWE via dual attack, many papers uses the result of [LP11] as follows : Given an LWE instance parameterized by $n$, $\alpha$, $q$ and a vector $\mathbf{v}$ of length $||\mathbf{v}||^2$ in the scaled dual…
Jonghyun Kim
  • 477
  • 2
  • 8
1
vote
0 answers

Solving for secret s in LWE problem

in LWE instance $b=A^t s +e$, can we find an orthogonal basis of coefficient matrix A in polynomial time, let it be B.Multiply B to get $Bb=Be$ as term with s will vanish. Then solve for $e$. After getting $e$, subtract from $b$ and get the…
Matrixee
  • 11
  • 3
1
vote
1 answer

LWE with secret matrix (Reverse LWE?)

I was wondering if there is a version of LWE with secret matrices and public seed vectors? Would it be as hard as the popular definition of LWE?
Novice Geek
  • 13
  • 3
1
vote
1 answer

Gaussian elimination to equations with errors

I am reading this document and wondering the following part on page 13: "Consider applying Gaussian elimination to the noisy samples to find the first bit" If we take, for example, $n = 3$, $s = (1,0,1)$, $x_1 = (1,1,0)$, $x_2=(1,1,1)$ and $…
iomat
  • 163
  • 4
1
2