Abstract We improve on the first fall degree bound of polynomial systems that arise from a Weil descent along Semaev’s summation polynomials relevant to the solution of the Elliptic Curve Discrete Logarithm Problem via Gröbner basis algorithms.
{"title":"On the first fall degree of summation polynomials","authors":"S. Kousidis, A. Wiemers","doi":"10.1515/jmc-2017-0022","DOIUrl":"https://doi.org/10.1515/jmc-2017-0022","url":null,"abstract":"Abstract We improve on the first fall degree bound of polynomial systems that arise from a Weil descent along Semaev’s summation polynomials relevant to the solution of the Elliptic Curve Discrete Logarithm Problem via Gröbner basis algorithms.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"229 - 237"},"PeriodicalIF":1.2,"publicationDate":"2019-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2017-0022","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47465244","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Signcryption aims to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The “Commit-then-Sign & Encrypt” (CtS&E) method allows to perform encryption and signing in parallel. Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt messages. CtS&E uses weaker cryptographic primitives in a generic way to achieve a strong security notion of signcryption. Various message pre-processing schemes, also known as message padding, have been used in signcryption as a commitment scheme in CtS&E. Due to its elegance and versatility, the sponge structure turns out to be a useful tool for designing new padding schemes such as SpAEP [T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015, Lecture Notes in Comput. Sci. 9144, Springer, Berlin 2015, 93–106], while offering further avenues for optimization and parallelism in the context of signcryption. In this work, we design a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure. Unlike other existing schemes, the proposed scheme also supports arbitrarily long messages. We prove the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature. With a careful analysis and simple tweaks, we demonstrate how different combinations of weakly secure probabilistic and deterministic encryption and signature schemes can be used to construct a strongly secure signcryption scheme, further broadening the choices of underlying primitives to cover essentially any combination thereof. To the best of our knowledge, this is the first signcryption scheme based on the sponge structure that also offers strong security using weakly secure underlying asymmetric primitives, even deterministic ones, along with the ability to handle long messages, efficiently.
{"title":"Signcryption schemes with insider security in an ideal permutation model","authors":"Tarun Kumar Bansal, Xavier Boyen, J. Pieprzyk","doi":"10.1515/jmc-2018-0006","DOIUrl":"https://doi.org/10.1515/jmc-2018-0006","url":null,"abstract":"Abstract Signcryption aims to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The “Commit-then-Sign & Encrypt” (CtS&E) method allows to perform encryption and signing in parallel. Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt messages. CtS&E uses weaker cryptographic primitives in a generic way to achieve a strong security notion of signcryption. Various message pre-processing schemes, also known as message padding, have been used in signcryption as a commitment scheme in CtS&E. Due to its elegance and versatility, the sponge structure turns out to be a useful tool for designing new padding schemes such as SpAEP [T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015, Lecture Notes in Comput. Sci. 9144, Springer, Berlin 2015, 93–106], while offering further avenues for optimization and parallelism in the context of signcryption. In this work, we design a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure. Unlike other existing schemes, the proposed scheme also supports arbitrarily long messages. We prove the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature. With a careful analysis and simple tweaks, we demonstrate how different combinations of weakly secure probabilistic and deterministic encryption and signature schemes can be used to construct a strongly secure signcryption scheme, further broadening the choices of underlying primitives to cover essentially any combination thereof. To the best of our knowledge, this is the first signcryption scheme based on the sponge structure that also offers strong security using weakly secure underlying asymmetric primitives, even deterministic ones, along with the ability to handle long messages, efficiently.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"117 - 150"},"PeriodicalIF":1.2,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2018-0006","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44055852","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In a secret-sharing scheme, a piece of information – the secret – is distributed among a finite set of participants in such a way that only some predefined coalitions can recover it. The efficiency of the scheme is measured by the amount of information the most heavily loaded participant must remember. This amount is called information ratio, and one of the most interesting problems of this topic is to calculate the exact information ratio of given structures. In this paper, the information ratios of all but one graph-based schemes on 8 or 9 vertices with a girth at least 5 and all graph-based schemes on 10 vertices and 10 edges with a girth at least 5 are determined using two polyhedral combinatoric tools: the entropy method and covering with stars. Beyond the investigation of new graphs, the paper contains a few improvements and corrections of recent results on graphs with 9 vertices. Furthermore, we determine the exact information ratio of a large class of generalized sunlet graphs consisting of some pendant paths attached to a cycle of length at least 5.
{"title":"Exact information ratios for secret sharing on small graphs with girth at least 5","authors":"Károly Harsányi, P. Ligeti","doi":"10.1515/jmc-2018-0024","DOIUrl":"https://doi.org/10.1515/jmc-2018-0024","url":null,"abstract":"Abstract In a secret-sharing scheme, a piece of information – the secret – is distributed among a finite set of participants in such a way that only some predefined coalitions can recover it. The efficiency of the scheme is measured by the amount of information the most heavily loaded participant must remember. This amount is called information ratio, and one of the most interesting problems of this topic is to calculate the exact information ratio of given structures. In this paper, the information ratios of all but one graph-based schemes on 8 or 9 vertices with a girth at least 5 and all graph-based schemes on 10 vertices and 10 edges with a girth at least 5 are determined using two polyhedral combinatoric tools: the entropy method and covering with stars. Beyond the investigation of new graphs, the paper contains a few improvements and corrections of recent results on graphs with 9 vertices. Furthermore, we determine the exact information ratio of a large class of generalized sunlet graphs consisting of some pendant paths attached to a cycle of length at least 5.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"107 - 116"},"PeriodicalIF":1.2,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2018-0024","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41584372","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this paper, we show how to construct – from any linear code – a Proof of Retrievability ( 𝖯𝗈𝖱 {mathsf{PoR}} ) which features very low computation complexity on both the client ( 𝖵𝖾𝗋𝗂𝖿𝗂𝖾𝗋 {mathsf{Verifier}} ) and the server ( 𝖯𝗋𝗈𝗏𝖾𝗋 {mathsf{Prover}} ) sides, as well as small client storage (typically 512 bits). We adapt the security model initiated by Juels and Kaliski [PoRs: Proofs of retrievability for large files, Proceedings of the 2007 ACM Conference on Computer and Communications Security—CCS 2007, ACM, New York 2007, 584–597] to fit into the framework of Paterson, Stinson and Upadhyay [A coding theory foundation for the analysis of general unconditionally secure proof-of-retrievability schemes for cloud storage, J. Math. Cryptol. 7 2013, 3, 183–216], from which our construction evolves. We thus provide a rigorous treatment of the security of our generic design; more precisely, we sharply bound the extraction failure of our protocol according to this security model. Next we instantiate our formal construction with codes built from tensor-products as well as with Reed–Muller codes and lifted codes, yielding 𝖯𝗈𝖱 {mathsf{PoR}} s with moderate communication complexity and (server) storage overhead, in addition to the aforementioned features.
在本文中,我们展示了如何从任何线性代码构建一个可检索性证明(𝖯𝖱{mathsf{PoR}}),该证明在客户端(𝖵𝖾𝗋𝗂𝗂𝖾𝗋{mathsf{Verifier}})和服务器端(𝖯𝗋𝗏𝖾𝗋{mathsf{Prover}})以及小客户端存储(通常为512位)上具有非常低的计算复杂度。我们采用Juels和Kaliski提出的安全模型[PoRs:大文件的可检索性证明,2007年ACM计算机与通信安全会议文集- ccs 2007, ACM, New York 2007, 584-597]来适应Paterson, Stinson和Upadhyay的框架[用于云存储的一般无条件安全可检索性证明方案分析的编码理论基础,J. Math。Cryptol. 7, 2013, 3, 183-216],我们的建筑由此演变而来。因此,我们对通用设计的安全性提供了严格的处理;更准确地说,我们根据这个安全模型对协议的提取失败进行了严格的约束。接下来,我们使用由张量积构建的代码以及Reed-Muller代码和提升代码实例化我们的正式结构,除了上述特征外,还产生了具有中等通信复杂性和(服务器)存储开销的𝖯→𝖱{mathsf{PoR}}。
{"title":"Generic constructions of PoRs from codes and instantiations","authors":"Julien Lavauzelle, F. Levy-dit-Vehel","doi":"10.1515/jmc-2018-0018","DOIUrl":"https://doi.org/10.1515/jmc-2018-0018","url":null,"abstract":"Abstract In this paper, we show how to construct – from any linear code – a Proof of Retrievability ( 𝖯𝗈𝖱 {mathsf{PoR}} ) which features very low computation complexity on both the client ( 𝖵𝖾𝗋𝗂𝖿𝗂𝖾𝗋 {mathsf{Verifier}} ) and the server ( 𝖯𝗋𝗈𝗏𝖾𝗋 {mathsf{Prover}} ) sides, as well as small client storage (typically 512 bits). We adapt the security model initiated by Juels and Kaliski [PoRs: Proofs of retrievability for large files, Proceedings of the 2007 ACM Conference on Computer and Communications Security—CCS 2007, ACM, New York 2007, 584–597] to fit into the framework of Paterson, Stinson and Upadhyay [A coding theory foundation for the analysis of general unconditionally secure proof-of-retrievability schemes for cloud storage, J. Math. Cryptol. 7 2013, 3, 183–216], from which our construction evolves. We thus provide a rigorous treatment of the security of our generic design; more precisely, we sharply bound the extraction failure of our protocol according to this security model. Next we instantiate our formal construction with codes built from tensor-products as well as with Reed–Muller codes and lifted codes, yielding 𝖯𝗈𝖱 {mathsf{PoR}} s with moderate communication complexity and (server) storage overhead, in addition to the aforementioned features.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"106 - 81"},"PeriodicalIF":1.2,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2018-0018","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44606736","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In 2018 Takashima proposed a version of Charles, Goren and Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve that allows for all subsequent arithmetic to be performed over a quadratic finite field 𝔽p2. In 2019 Flynn and Ti pointed out that Takashima’s hash function is insecure due to the existence of small isogeny cycles. We revisit the construction and show that it can be repaired by imposing a simple restriction, which moreover clarifies the security analysis. The runtime of the resulting hash function is dominated by the extraction of 3 square roots for every block of 3 bits of the message, as compared to one square root per bit in the elliptic curve case; however in our setting the extractions can be parallelized and are done in a finite field whose bit size is reduced by a factor 3. Along the way we argue that the full supersingular isogeny graph is the wrong context in which to study higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and advocate the use of the superspecial subgraph, which is the natural framework in which to view Takashima’s 𝔽p2-friendly starting curve.
{"title":"Hash functions from superspecial genus-2 curves using Richelot isogenies","authors":"W. Castryck, Thomas Decru, Benjamin A. Smith","doi":"10.1515/JMC-2019-0021","DOIUrl":"https://doi.org/10.1515/JMC-2019-0021","url":null,"abstract":"Abstract In 2018 Takashima proposed a version of Charles, Goren and Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve that allows for all subsequent arithmetic to be performed over a quadratic finite field 𝔽p2. In 2019 Flynn and Ti pointed out that Takashima’s hash function is insecure due to the existence of small isogeny cycles. We revisit the construction and show that it can be repaired by imposing a simple restriction, which moreover clarifies the security analysis. The runtime of the resulting hash function is dominated by the extraction of 3 square roots for every block of 3 bits of the message, as compared to one square root per bit in the elliptic curve case; however in our setting the extractions can be parallelized and are done in a finite field whose bit size is reduced by a factor 3. Along the way we argue that the full supersingular isogeny graph is the wrong context in which to study higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and advocate the use of the superspecial subgraph, which is the natural framework in which to view Takashima’s 𝔽p2-friendly starting curve.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"14 1","pages":"268 - 292"},"PeriodicalIF":1.2,"publicationDate":"2019-03-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/JMC-2019-0021","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49534330","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Let p ≡ 3 ( mod 4 ) {pequiv 3pmod{4}} and l ≡ 5 ( mod 8 ) {lequiv 5pmod{8}} be different primes such that p l = 1 {frac{p}{l}=1} and 2 p = p l 4 {frac{2}{p}=frac{p}{l}_{4}} . Put k = ℚ ( l ) {k=mathbb{Q}(sqrt{l})} , and denote by ϵ its fundamental unit. Set K = k ( - 2 p ϵ l ) {K=k(sqrt{-2pepsilonsqrt{l}})} , and let K 2 ( 1 ) {K_{2}^{(1)}} be its Hilbert 2-class field, and let K 2 ( 2 ) {K_{2}^{(2)}} be its second Hilbert 2-class field. The field K is a cyclic quartic number field, and its 2-class group is of type ( 2 , 2 , 2 ) {(2,2,2)} . Our goal is to prove that the length of the 2-class field tower of K is 2, to determine the structure of the 2-group G = Gal ( K 2 ( 2 ) / K ) {G=operatorname{Gal}(K_{2}^{(2)}/K)} , and thus to study the capitulation of the 2-ideal classes of K in all its unramified abelian extensions within K 2 ( 1 ) {K_{2}^{(1)}} . Additionally, these extensions are constructed, and their abelian-type invariants are given.
{"title":"Capitulation of the 2-ideal classes of type (2, 2, 2) of some quartic cyclic number fields","authors":"A. Azizi, I. Jerrari, A. Zekhnini, M. Talbi","doi":"10.1515/jmc-2017-0037","DOIUrl":"https://doi.org/10.1515/jmc-2017-0037","url":null,"abstract":"Abstract Let p ≡ 3 ( mod 4 ) {pequiv 3pmod{4}} and l ≡ 5 ( mod 8 ) {lequiv 5pmod{8}} be different primes such that p l = 1 {frac{p}{l}=1} and 2 p = p l 4 {frac{2}{p}=frac{p}{l}_{4}} . Put k = ℚ ( l ) {k=mathbb{Q}(sqrt{l})} , and denote by ϵ its fundamental unit. Set K = k ( - 2 p ϵ l ) {K=k(sqrt{-2pepsilonsqrt{l}})} , and let K 2 ( 1 ) {K_{2}^{(1)}} be its Hilbert 2-class field, and let K 2 ( 2 ) {K_{2}^{(2)}} be its second Hilbert 2-class field. The field K is a cyclic quartic number field, and its 2-class group is of type ( 2 , 2 , 2 ) {(2,2,2)} . Our goal is to prove that the length of the 2-class field tower of K is 2, to determine the structure of the 2-group G = Gal ( K 2 ( 2 ) / K ) {G=operatorname{Gal}(K_{2}^{(2)}/K)} , and thus to study the capitulation of the 2-ideal classes of K in all its unramified abelian extensions within K 2 ( 1 ) {K_{2}^{(1)}} . Additionally, these extensions are constructed, and their abelian-type invariants are given.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"27 - 46"},"PeriodicalIF":1.2,"publicationDate":"2019-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2017-0037","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46836836","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Over the past decade, the hybrid lattice-reduction and meet-in-the middle attack (called hybrid attack) has been used to evaluate the security of many lattice-based cryptographic schemes such as NTRU, NTRU Prime, BLISS and more. However, unfortunately, none of the previous analyses of the hybrid attack is entirely satisfactory: They are based on simplifying assumptions that may distort the security estimates. Such simplifying assumptions include setting probabilities equal to 1, which, for the parameter sets we analyze in this work, are in fact as small as 2 - 80 2^{-80} . Many of these assumptions lead to underestimating the scheme’s security. However, some lead to security overestimates, and without further analysis, it is not clear which is the case. Therefore, the current security estimates against the hybrid attack are not reliable, and the actual security levels of many lattice-based schemes are unclear. In this work, we present an improved runtime analysis of the hybrid attack that is based on more reasonable assumptions. In addition, we reevaluate the security against the hybrid attack for the NTRU, NTRU Prime and R-BinLWEEnc encryption schemes as well as for the BLISS and GLP signature schemes. Our results show that there exist both security over- and underestimates in the literature.
{"title":"A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack","authors":"T. Wunderer","doi":"10.1515/jmc-2016-0044","DOIUrl":"https://doi.org/10.1515/jmc-2016-0044","url":null,"abstract":"Abstract Over the past decade, the hybrid lattice-reduction and meet-in-the middle attack (called hybrid attack) has been used to evaluate the security of many lattice-based cryptographic schemes such as NTRU, NTRU Prime, BLISS and more. However, unfortunately, none of the previous analyses of the hybrid attack is entirely satisfactory: They are based on simplifying assumptions that may distort the security estimates. Such simplifying assumptions include setting probabilities equal to 1, which, for the parameter sets we analyze in this work, are in fact as small as 2 - 80 2^{-80} . Many of these assumptions lead to underestimating the scheme’s security. However, some lead to security overestimates, and without further analysis, it is not clear which is the case. Therefore, the current security estimates against the hybrid attack are not reliable, and the actual security levels of many lattice-based schemes are unclear. In this work, we present an improved runtime analysis of the hybrid attack that is based on more reasonable assumptions. In addition, we reevaluate the security against the hybrid attack for the NTRU, NTRU Prime and R-BinLWEEnc encryption schemes as well as for the BLISS and GLP signature schemes. Our results show that there exist both security over- and underestimates in the literature.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"1 - 26"},"PeriodicalIF":1.2,"publicationDate":"2019-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2016-0044","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43226288","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The Learning With Errors (LWE) problem is one of the most important hardness assumptions lattice-based constructions base their security on. In 2015, Albrecht, Player and Scott presented the software tool LWE-Estimator to estimate the hardness of concrete LWE instances, making the choice of parameters for lattice-based primitives easier and better comparable. To give lower bounds on the hardness, it is assumed that each algorithm has given the corresponding optimal number of samples. However, this is not the case for many cryptographic applications. In this work we first analyze the hardness of LWE instances given a restricted number of samples. For this, we describe LWE solvers from the literature and estimate their runtime considering a limited number of samples. Based on our theoretical results we extend the LWE-Estimator. Furthermore, we evaluate LWE instances proposed for cryptographic schemes and show the impact of restricting the number of available samples.
{"title":"Estimation of the hardness of the learning with errors problem with a restricted number of samples","authors":"Markus Schmidt, Nina Bindel","doi":"10.1515/jmc-2017-0040","DOIUrl":"https://doi.org/10.1515/jmc-2017-0040","url":null,"abstract":"Abstract The Learning With Errors (LWE) problem is one of the most important hardness assumptions lattice-based constructions base their security on. In 2015, Albrecht, Player and Scott presented the software tool LWE-Estimator to estimate the hardness of concrete LWE instances, making the choice of parameters for lattice-based primitives easier and better comparable. To give lower bounds on the hardness, it is assumed that each algorithm has given the corresponding optimal number of samples. However, this is not the case for many cryptographic applications. In this work we first analyze the hardness of LWE instances given a restricted number of samples. For this, we describe LWE solvers from the literature and estimate their runtime considering a limited number of samples. Based on our theoretical results we extend the LWE-Estimator. Furthermore, we evaluate LWE instances proposed for cryptographic schemes and show the impact of restricting the number of available samples.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"47 - 67"},"PeriodicalIF":1.2,"publicationDate":"2019-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2017-0040","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41706736","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: