## Abstract

We initiate the study of partial key exposure in Ring-LWE (RLWE)-based cryptosystems. Specifically, we (1) Introduce the search and decision Leaky R-LWE assumptions (Leaky R-SLWE, Leaky R-DLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret. (2) Present and implement an efficient key exposure attack that, given certain 1/4-fraction of the coordinates of the NTT transform of the RLWE secret, along with samples from the RLWE distribution, recovers the full RLWE secret for standard parameter settings. (3) Present a search-to-decision reduction for Leaky R-LWE for certain types of key exposure. (4) Propose applications to the security analysis of RLWE-based cryptosystems under partial key exposure.

## 1 Introduction

There has been a monumental effort in the cryptographic community to develop “post-quantum” cryptosys-tems that remain secure even in the presence of a quantum adversary. One of the foremost avenues for viable post-quantum public key cryptography is to construct schemes from the Ring-Learning with Error (RLWE) assumption—currently 3 out of 26 of the second round NIST submissions are based on assumptions in the ring setting. RLWE is often preferred in practice over standard LWE due to its algebraic structure, which allows for smaller public keys and more efficient implementations. In the RLWE setting, we typically consider rings of the form
*n* is a power of two and *q ≡* 1 mod 2*n*. The (decisional) RLWE problem is then to distinguish (*a*, *b* = *a* · *s* + *e*) *∈ R _{q}* ×

*R*from uniformly random pairs, where

_{q}*s ∈ R*is a random secret,

_{q}*a ∈ R*is uniformly random and the error term

_{q}*e ∈ R*has small norm. A critical question is whether the additional algebraic structure of the RLWE problem renders it less secure than the standard LWE problem. Interestingly, to the best of our knowledge—for the rings used in practice and practical parameter settings—the best attacks on RLWE are generic and can equally well be applied to standard LWE [28]. In this work, we ask whether improved attacks on RLWE are possible when partial information about the RLWE secret is exposed, though the secret retains high entropy.

**The NTT transform**.

One key method for speeding up computations in the RLWE setting is usage of the *NTT transform* (similar to the discrete Fourier transform (DFT), but over finite fields) to allow for faster polynomial multiplication over the ring *R _{q}*. Specifically, applying the NTT transform to two polynomials

*n*-dimensional vectors,

*component-wise*multiplication and addition, which is highly efficient. In this work, we consider leakage of a fraction of NTT coordinates of the RLWE secret. Since the RLWE secret will typically be stored in NTT form (to facilitate fast computation), [4, 7] leakage of coordinates of the NTT transform is a natural model for partial key exposure attacks.

**This work**.

The goal of this work is to initiate a study of partial key exposure in RLWE based cryptosystems and explore both positive and negative results in this setting. Specifically, we (1) define search and decision versions of Leaky RLWE assumptions, where the structured leakage occurs on the coordinates of the NTT transform of the RLWE secret; (2) present partial key exposure attacks on RLWE, given 1 /4-fraction of structured leakage on the secret key; (3) present a search to decision reduction for the Leaky RLWE assumptions; and (4) propose applications of the decision version of the assumption to practical RLWE-based cryptosystems.

### 1.1 Leaky RLWE Assumptions–Search and Decision Versions

We next briefly introduce the search and decision versions of the Leaky RLWE assumptions. For
*ω* is a primitive 2*n*-th root of unity modulo *q*, and is guaranteed to exist by choice of prime *q*, s.t. *q ≡* 1 mod 2*n*. Note that

The search version of the RLWE problem with leakage, denoted Leaky R-SLWE, is parametrized by
**a**, **s**, and **e** are as in the standard RLWE assumption (see Appendix A.2 and [26] for the precise definition).

The decision version of the RLWE problem with leakage, denoted Leaky R-DLWE is parametrized by
*s***s**, where
*q*, otherwise. Note that only the coordinates of
*unleaked* positions are required to be indistinguishable from random.

When
*S* (multiply every element of
**s** is uniform random from *R _{q}* versus drawn from the error distribution (the same reduction for standard RLWE works in our case).

### 1.2 Our Results

**Partial key exposure attacks**.

We present attacks on Leaky R-SLWE and test them on various practical parameter settings, such as the NewHope [7] parameter settings as well as the RLWE challenges of Crockett and Peikert [12]. Our attacks demonstrate that Leaky R-SLWE is *easy* for leakage parameters
*n* = 1024, *q* = 12289, and *x* = Ψ 16 (centered binomial distribution of parameter 16); (2) The same parameters above, but with
*many* RLWE samples [3]; (3) For parameters of several of the Crockett and Peikert challenges, including those classified as “very hard.” In all the above cases, we fully recover the RLWE secret with high probability, given the corresponding 1/4-fraction of the positions in the NTT transform of the RLWE secret. See Section 3.2 for details on the experimental results.

**A search-to-decision reduction**.

Define
*n*, given positions
* _{n}′* . Assuming search R-LWE

*without leakage*is subexponentially

*ϵ*≤ 1 and polynomial modulus

*q*, then

^{[1]}i.e. there is a constant

*c*such that, for sufficiently large

*n*,

**s**is leaked. So there is some constant

*c′*such that, for sufficiently large

*n*, there exists

^{[2]}

### Theorem 1.1

(Informal). *Assume*
*then*:

*(1)*
*OR*

*(2)*
*OR*

*(3)*

While at first glance it may seem that the conclusions (1), (2), (3) are redundant, in fact they are incomparable; Indeed, conclusion (1) does not imply (2) (resp. (3)), since the adversary in (2) (resp. (3)) is given additional leakage. Conversely, conclusion (2) (resp. (3)) does not imply (1), since the set of NTT coordinates that are indistinguishable from random is smaller in (2).

Note that our experimental results show that for our chosen parameter settings *s*
*n ^{*}* ≠ 4 and, if

*n*= 8 for our chosen parameter settings (as supported by our experiments), then it must be the case that

^{*}**Applications**.

The Leaky R-DLWE assumption is a useful tool for analyzing the security of RLWE-based cryptosystems subject to partial key exposure, and guaranteeing a graceful degradation in security. In particular, the Leaky R-DLWE assumption was used to analyze the NewHope protocol of [7] in the ePrint version of this paper [14]. The assumption is applicable to schemes in which the RLWE assumption is used to guarantee that a certain outcome is high-entropy (as opposed to uniform random), such as NewHope without reconciliation [6].

**Practicality of our attack**.

We note that an attack on Leaky R-SLWE yields an attack on standard search R-LWE by guessing each possible leakage outcome, running the Leaky R-SLWE attack and checking correctness of the recovered secret. Therefore, we believe this line of research is interesting beyond the context of leakage resilience, since if the attack can be made to work successfully for sufficiently low leakage rate (far lower than the 1 /4-leakage rate of our attacks), then one could potentially obtain an improved attack on standard search R-LWE.

We chose to consider partial exposure of the *NTT transform* of the R- LWEsecret, since in practical schemes the secret key is often stored in the NTT domain and certain types of side-channel attacks allow recovering large portions of the secret key stored in memory. E.g., in their analysis of “cold boot attacks” on NTT cryp-tosystems, Albrecht et al. [4] considered bit-flip rates as low as 0.2%. However, the highly structured leakage required for our attack is unlikely to occur in a practical leakage setting such as a “cold boot attack,” where one expects to recover the values of random locations in memory. We leave open the question of reducing the structure of the leakage in our attack. Specifically, as a starting point it will be interesting to see if our attack can extend to leakage patterns of *n′* = 16, *|S|* = 4 or *n′* = 32, *|S|* = 8, etc. While the leakage rate remains the same (1/4) in each case, these patterns capture leakage that is less and less structured, since at the extreme, one can view leakage of a random 1 /4-fraction of the NTT coordinates as an instance of Leaky R-SLWE with parameters *n′* = *n* and *|S|* = *n*/4. ^{[3]}

### 1.3 Comparison with Concurrent Work of Bolboceanu et al. [9]

One of the settings considered by [9] is sampling the RLWE secret from an ideal *I ⊆ qR*. It is straightforward to see that sampling the RLWE secret uniformly at random from *Rq* and then leaking the NTT coordinates *i* such that *i* = *α* mod 2*n′* is *equivalent* to sampling the RLWE secret from the ideal *I* that contains those elements whose NTT transform is 0 in positions *i* such that *i* = *α* mod 2*n′*.

Nevertheless, our decisional assumption is *weaker* than the assumption of [9], since [9] require that the entire vector **u** be indistinguishable from uniform random, whereas we only require that the NTT transform of **u** is indistinguishable from uniform random at the positions *i* that are not leaked. Our assumption lends itself to a search-to-decision reduction while the assumption of [9] does not. While [9] do provide a direct security reduction for their decisional assumption, the required standard deviation of the error (in polynomial basis, tweaked and scaled by *q*) is ,

Finally, we compare our attack to that of [9]. For fixed *n*, *q*, our attack works for noise regimes that are not covered by the attack of [9]. For example, for NewHope settings of *n* = 1024, *q* = 12289, the attack of [9] has success rate at most 1/1000 when the standard deviation of noise distribution is less than 0.00562. ^{[4]} In contrast, our attack works (with success ranging from 82/200 to 2/1000) when the standard deviation of the noise is
^{[5]} Our attack applies only for certain leakage patterns corresponding to certain ideals *I*, whereas the attack of [9]works for any ideal. The techniques of the two attacks are entirely different. [9] obtain a “good” basis for the ideal via *non-uniform* advice, perform a change of basis and then use Babai’s roundoff algorithm to solve the resulting BDD instance.We use the algebraic structure of the problem to convert RLWE instances over high dimension into CVP instances over constant dimension *n′*.We then exactly solve the CVP instances over constant dimension and determine the “high confidence” solutions that are likely to be the correct values of the RLWE error. Assuming all high confidence solutions are correct, we obtain a noiseless system of linear equations w.r.t. the RLWE secret, allowing efficient recovery of the secret.

### 1.4 Related Work

**Leakage-resilient cryptography**.

The study of provably secure, leakage-resilient cryptography was introduced by the work of Dziembowski and Pietrzak in [19]. Pietrzak [29] also constructed a leakage-resilient stream-cipher. Brakerski et al. [11] showed how to construct a scheme secure against an attacker who leaks at each time period. There are other works as well considering continual leakage [17, 22]. There are also work on leakage-resilient signature scheme [10, 21, 27].

**Leakage-resilience and Lattice-based Cryptography**.

Goldwasser et al. [20], and subsequently [2, 16, 18] studied the leakage resilience of standard LWE based cryptosystems in the symmetric and public key settings.

**Leakage Resilience of Ring-LWE**.

Dachman-Soled et al. [13] considered the leakage resilience of a RLWE-based public key encryption scheme for specific leakage profiles. This was followed by Albrecht et al. [4], they investigated cold boot attacks and compared the number of operations for implementing the attack when the secret key is stored as polynomial coefficients versus when encoding of the secret key using a number theoretic transform (NTT) is stored in memory. Recently, [30] showed that given multiple samples of RLWE instances such that the public key for every instance lies in some specific subring, one can reduce the original RLWE problem to multiple independent RLWE problems over the subring. In this work we do not place any such restriction on the RLWE samples required to mount partial key exposure attack.

## 2 Preliminaries

For a positive integer *n*, we denote by [*n*] the set {0, . . . , *n* − 1}. We denote vectors in boldface and matrices using capital letters **A**. For vector **x** over ℝ* ^{n}* or ℂ

*, define the*

^{n}*ℓ*2 norm as

**x**‖ for simplicity. We use the

*t*(

*n*) can distinguish two distributions with probability at most

*p*(

*n*).

We present the background and standard definitions related to lattices, algebraic number theory, RLWE, and NTT transform in Appendix A.

## 3 Partial Key Exposure Attack on Ring-LWE

### 3.1 Reconstructing the secret given (*α* mod 8) leakage

Recall that for
**p**(*x*) mod *q* at the powers *ωi* for
*ω* is a 2*n*-th primitive root in ℤ*q*. For
*u* − 1 polynomial that is obtained by taking **p**(*x*) modulo
*α* = 1. We abbreviate notation and write **p*** ^{u}*, instead of

We consider attacks in which the adversary learns all coordinates *i* of
*i ≡* 1 mod 2*n′* where
**s**. First, we note that in NTT transform notation the equation
**A***j* matrices are the circulant matrices corresponding to the ring element
*j*-th RLWE sample we learn all the coordinates
*i ≡* 1 mod 2*n′*. Note that the leaked coordinates are the evaluation of the polynomial **e***u*(*x*) at the *ωi* for *i ≡* 1 mod 2*n′*. We can then reconstruct the polynomial **e***u*(*x*) using Lagrange Interpolation.

For
*i* + 1)-st coefficient of **e***u*(*x*), i.e. *eu*,*i* is equal to

The coefficients of **e** can be partitioned into *u* groups of size *n′*, forming independent linear systems, each with *n′* variables and one equation. Given only the leakage, the set of feasible secret keys is a cartesian product
*i ∈* [*u*], the set
*i*-th linear system:

Since each coordinate of **e** is drawn independently from *χ* and since each linear system above has small dimension *n′*, we can use a brute-force-search to find the most likely solution and calculate its probability.

Given this information, we will carefully choose the solutions **e***j*
*u* number of *n′*-dimensional solutions,
*j*
*all* our guesses are correct. Observe that if our guess of some
*n′* equations and *n* variables
*Aj*,*i* is the submatrix of *Aj* consisting of the *n′* rows
**u*** ^{j}*,

*,*

^{i}**e**

*,*

^{j}*are vectors consisting of the*

^{i}**u**

*and*

^{j}**e**

*. So assuming (1) and (2) hold, we learn*

^{j}*u noiseless*systems of

*n′*linear equations, each with

*n*=

*u*·

*n′*number of variables.We then construct a linear system of

*n*variables and

*n*equations, which can be solved to obtain the candidate

**s**.

In order to ensure that (2) holds, we only keep the guess * ^{j}*for

*i*being drawn from the error distribution (which is coordinate-wise independent) over the sum of the probabilities of all solutions. For small dimension

*n′*, this can be computed via a brute-force method. In our case, we keep the highest probability solution when it has probability at least, say 0.98. The probability that

*all*guesses are correct is therefore

Since computing the exact probability as above is computationally intensive, we develop a heuristic that performs nearly as well and is much faster. Note that finding the “most likely” solution is equivalent to solving a CVP problem over an appropriate *n′*-dimensional lattice. We then calculate the probability of the solution under the discrete Gaussian and set some threshold . If the probability of the solution is above the threshold we keep it, if not we discard it. Experimentally, we show that by setting the threshold correctly, we can still achieve high confidence. See Figure 1 for the exact settings of the threshold for each setting of parameters. Our experiments also show that (1) also holds given a reasonable number of RLWE samples. See Section 3.2 for a presentation of our experimental results. We describe our attack in cases where the leakage is on all coordinates *i* such that
*n′* in Appendix B.1.

**Complexity of the attack**.

We provide the pseudocode for the attack in Appendix D, Figure 3. While our attack works well in practice, we do not provide a formal proof that our attack is polynomial time for a given setting of parameters. Within the loop beginning on line 5, all the steps (or subroutines) shown in Figure 3 can be computed in polynomial time. Note that even step 12 (CVP.closest_vector), which requires solving a CVP instance, can be computed in polynomial time because for the leakage patterns we consider, the dimension of the CVP instance will always be either 4 or 8–a constant, independent of *n*. However, our analysis does not bound the number of iterations of the loop beginning on line 5. Specifically,we do not analyze how large the variable RLWESamples must be set in order to guarantee that the attack is successful with high probability. Bounding this variable corresponds to bounding the number of RLWE samples needed in order to obtain a sufficient number of “high confidence” solutions. In practice, the number of RLWE samples was always fewer than 200 for all parameter settings. In future work,we plan to compute the expected number of RLWE samples needed to obtain a sufficient number of high confidence solutions for a given parameter setting. Assuming this expected number of samples is polynomial in *n*, we obtain an expected polynomial time attack.

### 3.2 Experimental Results

We first assess the performance of our attack on the RLWE challenges published by Crockett and Peikert [12], with various parameters, ranging from “toy” to “very hard” security levels. For each parameter setting, a cut-and-choose protocol was used by [12] to prove correctness of the challenges: They committed to some number (e.g. *N* = 32) of independent RLWE instances, a random index *i* was chosen, and the secret key for all except the *i*-th instance was revealed. For each of the 31 *opened* challenges,we simulate the Leaky RLWE experiment and attempt to recover the full secret **s** using our attack. We next measure the performance of our attack on RLWE instances generated using the dimension, modulus and noise distribution proposed in the original NewHope scheme [7]. These parameters are more conservative than the ones chosen for the later submission to the NIST competition [5]. When multiple RLWE samples are released, bounded error distributions are less secure [3]. We therefore tested our attack in the *more difficult* setting of Gaussian error, in addition to the original binomial error distribution of [7].

The experiments were run using server with AMD Opteron 6274 processor, with a python script using all the cores with Sage version 8.1.We used fplll [15] library for CVP solver and the source code of all the attacks are available online at [1]. The results of our attacks are summarized in Figure 1.We report the total number of instances we broke and the average number of RLWE samples needed for those instances. To decide whether a solution is kept or discarded, its probability mass under the error distribution *χ* is calculated and compared to the threshold. The threshold for each parameter setting is set heuristically so that minimal weight solutions passing the threshold are correct with high confidence (see Figure 1 for the exact threshold settings). We tested leakage patterns of
*n′* = 8, *α* = 1)), but were only successful for the easiest case, i.e. Challenge ID 1. For, e.g. Challenge ID 89, the attack failed since for 5000 number of linear systems, the maximum confidence of any solution was 0.28, meaning that we expect to recover the secret key with probability at most

## 4 Search and Decisional Ring-LWE with Leakage

## Definition 4.1

(**Search RLWE (R-SLWE) with Leakage**) The search version of the R-LWE problem with leakage, denoted Leaky
**s**, given independent samples from the distribution
**a**, **e** are obtained from

## Definition 4.2

(**Decision RLWE (R-DLWE) with Leakage**) The decision version of the R-LWE problem with leakage, denoted Leaky
**s** *← R _{q}* uniformly at random, where

**a**,

**e**are obtained from

*A*

_{s}_{, Ψ}as in standard RLWE (see Definition A.2) and

chosen uniformly random, otherwise.

## 5 Search to Decision Reduction With Leakage

Let the RLWE secret be denoted by
*n′* and otherwise is uniform random ^{[6]}. It is not hard to see, using techniques of [23, 24, 25], that this implies an attacker that learns a single index
*n′* of the RLWE secret, where
*n′*.We call this the **Basic Attack**. Due to limited space, we refer readers to Appendix C for description of **Basic Attack**.

## Theorem 5.1

(Existence of Basic Attack). *If, for any*
*adversary* A *running in time t* := *t*(*n*) *distinguishes*
*from*
*with probability p* := *p*(*n*)*, then there is some index j such that*
*n for all*
*and an attack Basic Attack with parameters*

*that learns NTT coordinate*

*with probability*1 − 1/poly(

*n*)

*and takes time*poly(

*n*) ·

*t*· 1/

*p*.

Our attack **Attack 1** uses the **Basic Attack** to learn *all* the values
**Attack 1** is to learn all
*i ≡ b*2 mod *n′* into the positions *i ≡ b* mod 2*n′*, resulting in a permuted RLWE secret, denoted
*i*1causes the positions
*i ≡ b* mod *n′* to shift into the positions *i ≡* 1 mod 2*n′*. This means that we are now back where we started, and the reduction is now able to provide the required leakage
*n′ i*in the second iteration,

For *i*,
*i*, *j*,

## Definition 5.2

A probability distribution
*K* if for all *i*, *j ∈*

We remark that RLWE error distribution *χ* is automorphically closed [23].

We formally define **Attack 1** in Figure 3 .We next sketch how **Attack 1** can be used to complete the proof. For dimenstion *n* and parameter
*n* and parameters

Assume subexponential
*without leakage* for some constant *ϵ* ≤ 1 and polynomial modulus *q*. Then we also have that
*c′* such that for sufficiently large *n*, there exists

Now, if given
*n** leakage, there exists a (*t*(*n*), *p*(*n*))-distinguishing adversary (where
*less than*
**Attack 1**, which takes time at most
*t*(*n*) and *p*(*n*). If
**Attack 1** with our knowledge of
*n**-fraction of leakage to recover all of
*n**)-leakage can be run in time

For *n** > 4, the only cases in which **Attack 1** does not recover
*b*, we do not know how to rule out the possibility that given
*i ≡ b* mod
*both*
*other* positions are indistinguishable from random, since otherwise a modified version of **Attack 1** can be run. We next state the formal theorem of this section.

## Theorem 5.3

*Assume*
*then*:

–
*OR*

–
*OR*

–

*where*,

*Proof*. We assume WLOG that *α* = 1. Assume
*A* running in time
*j ≡ b* mod 2*n′* with probability at least

**Case 1:** *b* **is such that**
**for some**
*n*), we can use Attack 1 to recover the positions *i* such that
**s**. By assumption, this attack runs in time

By properties of the group
*n** is a power of two, for all
*br ≡ n** + 1 mod 2*n** for some

**Case 2:** *b* = *n* * − 1. In this case, with appropriate setting of poly(*n*), we can use Attack 1 to recover the positions *i* such that
*′* that distinguishes on index

**Case 2(a):**
*n*), we can (w.h.p.) learn all
*r ∈* [*n**/2] in time

Specifically, given the initial leakage
*j*, *j′*) such that *j ≡ b′* mod 2*n** and *j′ ≡* 1 mod 2*n**, apply automorphism
*r ∈* [*n**/2]. At this point, we will have
**s** in additional time
*i*Thus, in total the attack takes time

**Case 2(b):** *b′* = 2*n** − 1. Due to essentially the same argument as before, with appropriate setting of poly(*n*), we can (w.h.p.) recover the positions *i* such that *i ≡* 2*n** − 1 mod 2*n** in time
**s** in additional time

**Case 3:** *b* = 2*n** − 1. This essentially follows identically to Case 2. □

## Acknowledgement

This work is supported in part by NSF grants #CNS-1840893, #CNS-1453045 (CAREER), by a research partnership award from Cisco and by financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology.

## References

[1] *Source Code* 2019, https://github.com/mathcrypt/RLWESearch in Google Scholar

[2] Adi Akavia, Shafi Goldwasser and Vinod Vaikuntanathan, Simultaneous Hardcore Bits and Cryptography against Memory Attacks, in: *TCC 2009* (Omer Reingold, ed.), LNCS 5444, pp. 474–495, Springer, Heidelberg, March 2009.10.1007/978-3-642-00457-5_28Search in Google Scholar

[3] Martin Albrecht, Carlos Cid, Jean-Charles Faugere, Robert Fitzpatrick and Ludovic Perret, Algebraic algorithms for LWE problems, (2014).Search in Google Scholar

[4] Martin R. Albrecht, Amit Deo and Kenneth G. Paterson, Cold Boot Attacks on Ring and Module LWE Keys Under the NTT, *IACR TCHES* 2018 (2018), 173–213, https://tches.iacr.org/index.php/TCHES/article/view/7273Search in Google Scholar

[5] Erdem Alkim, Roberto Avanzi, Joppe Bos, Léo Ducas, Antonio de la Piedra, Thomas Pöppelmann, Peter Schwabe and Douglas Stebila, *Newhope: Algorithm specification and supporting documentation. Submission to the NIST Post-Quantum Cryptography Standardization Project, 2017*Search in Google Scholar

[6] Erdem Alkim, Léo Ducas, Thomas Pöppelmann and Peter Schwabe, *NewHope without reconciliation* Cryptology ePrint Archive, Report 2016/1157, 2016, http://eprint.iacr.org/2016/1157Search in Google Scholar

[7] Erdem Alkim, Léo Ducas, Thomas Pöppelmann and Peter Schwabe, Post-quantum Key Exchange - A New Hope, in: *USENIX Security 2016* (Thorsten Holz and Stefan Savage, eds.), pp. 327–343, USENIX Association, August 2016.Search in Google Scholar

[8] Jacob Alperin-Sheriff and Chris Peikert, Practical Bootstrapping in Quasilinear Time, in: *CRYPTO 2013, Part I* (Ran Canetti and Juan A. Garay, eds.), LNCS 8042, pp. 1–20, Springer, Heidelberg, August 2013.10.1007/978-3-642-40041-4_1Search in Google Scholar

[9] Madalina Bolboceanu, Zvika Brakerski, Renen Perlman and Devika Sharma, *Order-LWE and the Hardness of Ring-LWE with Entropic Secrets* Cryptology ePrint Archive, Report 2018/494, 2018, https://eprint.iacr.org/2018/494Search in Google Scholar

[10] Elette Boyle, Gil Segev and Daniel Wichs, Fully Leakage-Resilient Signatures, *Journal of Cryptology* 26 (2013), 513–558.10.1007/s00145-012-9136-3Search in Google Scholar

[11] Zvika Brakerski, Yael Tauman Kalai, Jonathan Katz and Vinod Vaikuntanathan, Overcoming the Hole in the Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage, in: *51st FOCS* pp. 501–510, IEEE Computer Society Press, October 2010.10.1109/FOCS.2010.55Search in Google Scholar

[12] Eric Crockett and Chris Peikert, Challenges for Ring-LWE., *IACR Cryptology ePrint Archive* 2016 (2016), 782.Search in Google Scholar

[13] Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni and Aria Shahverdi, *On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption* Cryptology ePrint Archive, Report 2017/1127, 2017, https://eprint.iacr.org/2017/1127Search in Google Scholar

[14] Dana Dachman-Soled, Huijing Gong,Mukul Kulkarni and Aria Shahverdi, *Partial Key Exposure in Ring-LWE-Based Cryptosys-tems: Attacks and Resilience* Cryptology ePrint Archive, Report 2018/1068, 2018, https://eprint.iacr.org/2018/1068Search in Google Scholar

[15] The FPLLL development team, *fplll, a lattice reduction library* Available at https://github.com/fplll/fplll 2016.Search in Google Scholar

[16] Yevgeniy Dodis, Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert and Vinod Vaikuntanathan, Public-Key Encryption Schemes with Auxiliary Inputs, in: *TCC 2010* (Daniele Micciancio, ed.), LNCS 5978, pp. 361–381, Springer, Heidelberg, February 2010.10.1007/978-3-642-11799-2_22Search in Google Scholar

[17] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt and Daniel Wichs, Cryptography against Continuous Memory Attacks, in: *51st FOCS* pp. 511–520, IEEE Computer Society Press, October 2010.10.1109/FOCS.2010.56Search in Google Scholar

[18] Yevgeniy Dodis, Yael Tauman Kalai and Shachar Lovett, On cryptography with auxiliary input, in: *41st ACM STOC* (Michael Mitzenmacher, ed.), pp. 621–630, ACM Press, May / June 2009.10.1145/1536414.1536498Search in Google Scholar

[19] Stefan Dziembowski and Krzysztof Pietrzak, Leakage-Resilient Cryptography, in: *49th FOCS* pp. 293–302, IEEE Computer Society Press, October 2008.10.1109/FOCS.2008.56Search in Google Scholar

[20] Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert and Vinod Vaikuntanathan, Robustness of the Learning with Errors Assumption, in: *ICS 2010* (Andrew Chi-Chih Yao, ed.), pp. 230–240, Tsinghua University Press, January 2010.Search in Google Scholar

[21] Jonathan Katz and Vinod Vaikuntanathan, Signature Schemes with Bounded Leakage Resilience, in: *ASIACRYPT 2009* (Mit-suru Matsui, ed.), LNCS 5912, pp. 703–720, Springer, Heidelberg, December 2009.10.1007/978-3-642-10366-7_41Search in Google Scholar

[22] Allison B. Lewko, Mark Lewko and Brent Waters, How to leak on key updates, in: *43rd ACM STOC* (Lance Fortnow and Salil P. Vadhan, eds.), pp. 725–734, ACM Press, June 2011.10.1145/1993636.1993732Search in Google Scholar

[23] Vadim Lyubashevsky, Search to decision reduction for the learning with errors over rings problem, in: *2011 IEEE Information Theory Workshop, ITW 2011, Paraty, Brazil, October 16-20, 2011* pp. 410–414, 2011.10.1109/ITW.2011.6089491Search in Google Scholar

[24] Vadim Lyubashevsky, Chris Peikert and Oded Regev, On Ideal Lattices and Learning with Errors over Rings, in: *EURO-CRYPT 2010* (Henri Gilbert, ed.), LNCS 6110, pp. 1–23, Springer, Heidelberg, May / June 2010.10.1007/978-3-642-13190-5_1Search in Google Scholar

[25] Vadim Lyubashevsky, Chris Peikert and Oded Regev, On Ideal Lattices and Learning with Errors over Rings, *J. ACM* 60 (2013), 43:1–43:35.10.1145/2535925Search in Google Scholar

[26] Vadim Lyubashevsky, Chris Peikert and Oded Regev, *A Toolkit for Ring-LWE Cryptography* Cryptology ePrint Archive, Report 2013/293, 2013, http://eprint.iacr.org/2013/29310.1007/978-3-642-38348-9_3Search in Google Scholar

[27] Tal Malkin, Isamu Teranishi, Yevgeniy Vahlis and Moti Yung, Signatures Resilient to Continual Leakage on Memory and Computation, in: *TCC 2011* (Yuval Ishai, ed.), LNCS 6597, pp. 89–106, Springer, Heidelberg, March 2011.10.1007/978-3-642-19571-6_7Search in Google Scholar

[28] Chris Peikert, How(Not) to Instantiate Ring-LWE, in: *SCN 16* (Vassilis Zikas and Roberto De Prisco, eds.), LNCS 9841, pp. 411–430, Springer, Heidelberg, August / September 2016.10.1007/978-3-319-44618-9_22Search in Google Scholar

[29] Krzysztof Pietrzak, A Leakage-Resilient Mode of Operation, in: *EUROCRYPT 2009* (Antoine Joux, ed.), LNCS 5479, pp. 462–482, Springer, Heidelberg, April 2009.10.1007/978-3-642-01001-9_27Search in Google Scholar

[30] Katherine E. Stange, *Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm* Cryptology ePrint Archive, Report 2019/183, 2019, https://eprint.iacr.org/2019/183Search in Google Scholar

### A Additional Preliminaries

#### A 1 Algebraic Number Theory

For a positive integer *m*, the *m ^{th} cyclotomic number field* is a field extension

*ζ*of order

_{m}*m*(i.e. a primitive

*m*root of unity) to the rationals.

^{th}**Ring of Integers R and Its Dual R**

^{∨}Let *R ⊂ K* denote the set of all algebraic integers in number field *K* defined above. This set forms a ring (under the usual addition and multiplication operations in *K*), called the *ring of integers* of *K*.

An (*integral*) *ideal*
*R*, i,e.,
*r ∈ R* and

#### Definition A.1

For
*p* runs over all odd primes dividing *m*. Also, define
*m* is even, otherwise

The dual ideal *R∨* of *R* is defined as

#### A 2 Ring-LWE

We next present the formal definition of the RLWE problem as given in [26].

#### Definition A.2

(**RLWE Distribution**) For a “secret"
*R ^{∨}*) and a distribution

*χ*over

*K*

_{ℝ}, a sample from the RLWE distribution

*e ← χ*, and outputting

#### Definition A.3

(**RLWE, Average-Case Decision**) The average-case decision version of the RLWE problem, denoted R-DLWE* _{q}*,

*, is to distinguish with non-negligible advantage between independent samples from*

_{χ}*A*,

_{s}*, where*

_{χ}#### Theorem A.4

*[26, Theorem 2.22] Let K be the m*th *cyclotomic number field having dimension*
*and*
*be its ring of integers. Let*
*and*
*be a* poly(*n*)*-bounded prime such that*
*Then there is a polynomial-time quantum reduction from*
*-approximate* SIVP *(or* SVP*) on ideal lattices in K to the problem of solving R-*DLWE* _{q}*,

_{χ}given only l samples, where χ is the Gaussian distribution D_{ξ}for**A Note on the Tweak**.

In [8], Alperin-Sheriff and Peikert show that an equivalent “tweaked" form of the Ring-LWE problem can be used in cryptographic applications without loss in security or efficiency. This is convenient since the “tweaked" version does not involve *R ^{∨}*. The “tweaked" ring-LWE problem can be obtained by implicitly multiplying the noisy products

*b*by the “tweak" factor

*t*, and, as it is explained in [8],

where
*e ^{′}* =

*t*·

*e*come from the “tweaked" error distribution

*t*·

*χ*.

#### A 3 Number Theoretic Transform (NTT)

Let
*n* = 2* ^{d}* for any positive integer

*d*. Also, let

*m*= 2

*n*and

*q*= 1 mod

*m*. For,

*ω*a

*m*th root of unity in ℤ

*the NTT of polynomial*

_{q}where the NTT coefficients

The function NTT−1 is the inverse of function NTT, defined as

where the NTT inverse coefficients *p _{i}* are defined as:

### B Attack Algorithm for Other Leakage Patterns

**B.1 Reconstructing the secret given (***α*_{1}, *α*_{2} mod *n**′***) leakage**

*α*

_{1},

*α*

_{2}mod

*n*

Let
*u* = *n* /*n ^{′}* polynomial that is obtained by taking

*α*

_{1}= 1.We therefore set

*i*+ 1)-st coefficient of

**e**

*(*

_{u}*x*) and

Similar to the previous attack, we obtain the following constraints on the error, given leakage on the secret key and an RLWE sample,

We solve a corresponding CVP instance to find the “most likely” solution,

Similar to our previous attack, our goal is to carefully choose the answers with “high confidence” such that (1) In total, we must guess at least *u* number of *n′*-dimensional solutions,
*all* our guesses are correct. We choose the candidate which has probability of at least, say, 0.95 of being correct solution. The total probability of success for this case is

Our experiments in section 3.2 again show that we can obtain enough “high” confidence solutions, without requiring too large a number of RLWE instances.

### C Description of Basic Attack

In this section, we present the **Basic Attack**, following the description from [23, 24, 25] and using the fact that NTT coefficients form a CRT representation. We first recall definition of CRT representation in our setting of parameters.

### Definition C.1

(CRT Representation) For **p** *∈ R _{q}*, and

*ω*a

*m*primitive root of unity in

^{th}**p**is defined as

for

It is easy to see that

We first introduce the following definition:

### Definition C.2

(Hybrid Leaky RLWE Distribution) For
*s ∈ R _{q}*, and a distribution

*χ*over

*R*, a sample from the distribution

_{q}*u*,

_{i}*u*is chosen uniformly at random from χ

_{i}*if*

_{q}*i*≠

*α′*mod 2

*n′*for all

*i*≤

*j*,

*u*= 0 otherwise.

_{i}Define
*t* := *t*(*n*) distinguishes
*p* := *p*(*n*), then there is some index
*j* ≠ *α′* mod *n* for all
* _{j}* that is able to distinguish between the distribution

*p*/

*n*.

We now show the distinguisher 𝒟* _{j}* can be used to construct an algorithm that finds the value of

*poly(*

_{j}*n*/

*p*) times for each of the

*q*(= poly(

*n*)) guesses for

*n*) in time

Next we present the samples construction algorithm that takes a guess *g ∈* ℤ* _{q}* and transform

where
*u _{k}* is uniform in ℤ

*if*

_{q}*k*<

*j*,

*k*≠

*α′*mod 2

*n′*for all

*v*is uniform in ℤ

_{k}*if*

_{q}*k*=

*j*, and the rest are 0. Note that

Observe that if *g* is the correct guess, then
**a***′* , **b***′*) is identical to
*g* is a wrong guess, (*g* − *s _{j}*) is non-zero. Since

*q*is prime,

*. Thus the distribution of (*

_{q}**a**

*′*,

**b**

*′*) is identical to

### D Pseudocode of Attack from Section 3

**Received:**2019-06-05

**Accepted:**2019-07-01

**Published Online:**2020-11-17

© 2020 D. Dachman-Soled et al., published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.