(In)Security of Ring-LWE Under Partial Key Exposure

: We initiate the study of partial key exposure in Ring-LWE (RLWE)-based cryptosystems. Specifically, we (1) Introduce the search and decision Leaky R-LWE assumptions (Leaky R-SLWE , Leaky R-DLWE ), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret. (2) Present and implement an efficient key exposure attack that, given certain 1/4-fraction of the coordinates of the NTT transform of the RLWE secret, along with samples from the RLWE distribution, recovers the full RLWE secret for standard parameter settings. (3) Present a search-to-decision reduction for Leaky R-LWE for certain types of key exposure. (4) Propose applications to the security analysis of RLWE-based cryptosystems under partial key exposure.


Introduction
There has been a monumental effort in the cryptographic community to develop "post-quantum" cryptosystems that remain secure even in the presence of a quantum adversary. One of the foremost avenues for viable post-quantum public key cryptography is to construct schemes from the Ring-Learning with Error (RLWE) assumption-currently 3 out of 26 of the second round NIST submissions are based on assumptions in the ring setting. RLWE is often preferred in practice over standard LWE due to its algebraic structure, which allows for smaller public keys and more efficient implementations. In the RLWE setting, we typically consider rings of the form Rq := Zq[x]/(x n + 1), where n is a power of two and q ≡ 1 mod 2n. The (decisional) RLWE problem is then to distinguish (a, b = a · s + e) ∈ Rq × Rq from uniformly random pairs, where s ∈ Rq is a random secret, a ∈ Rq is uniformly random and the error term e ∈ R has small norm. A critical question is whether the additional algebraic structure of the RLWE problem renders it less secure than the standard LWE problem. Interestingly, to the best of our knowledge-for the rings used in practice and practical parameter settings-the best attacks on RLWE are generic and can equally well be applied to standard LWE [28]. In this work, we ask whether improved attacks on RLWE are possible when partial information about the RLWE secret is exposed, though the secret retains high entropy.

Leaky RLWE Assumptions-Search and Decision Versions
We next briefly introduce the search and decision versions of the Leaky RLWE assumptions. For p ∈ Rq := Zq[x]/(x n + 1), we denotê︀ p := NTT(p) := (p(ω 1 ), p(ω 3 ), . . . , p(ω 2n−1 )), where ω is a primitive 2n-th root of unity modulo q, and is guaranteed to exist by choice of prime q, s.t. q ≡ 1 mod 2n. Note that̂︀ p is indexed by the set Z * 2n . The search version of the RLWE problem with leakage, denoted Leaky R-SLWE, is parametrized by ( , wherê︀ u i =̂︀ a i ·̂︀ s i +̂︀ e i for i ≡ α mod 2n ′ , α ∈ S and̂︀ u i is chosen uniformly at random from Zq, otherwise. Note that only the coordinates of︀ u corresponding to unleaked positions are required to be indistinguishable from random. When S = {α} consists of a single element, we sometimes abuse notation and write the Leaky-RLWE parameters as (n ′ , α). Leaky-RLWE with parameters (n ′ , S) where S = {α 1 , α 2 , . . . , α t }, is equivalent to Leaky-RLWE with parameters (n ′ , S ′ ), where S ′ = α −1 1 · S (multiply every element of S by α −1 1 ). It is also not hard to see that leaky search and decision are equally hard when secret s is uniform random from Rq versus drawn from the error distribution (the same reduction for standard RLWE works in our case).

Our Results
Partial key exposure attacks.
We present attacks on Leaky R-SLWE and test them on various practical parameter settings, such as the NewHope [7] parameter settings as well as the RLWE challenges of Crockett and Peikert [12]. Our attacks demonstrate that Leaky R-SLWE is easy for leakage parameters (n ′ = 4, α = 1), (n ′ = 8, S = {1, 7}) and (n ′ = 8, S = {1, 15}), under (1) NewHope parameter settings of n = 1024, q = 12289, and χ = Ψ 16 (centered binomial distribution of parameter 16); (2) The same parameters above, but with χ = D √ 8 (discrete Gaussian with standard deviation of √ 8, which has the same standard deviation as Ψ 16 ), since this is the recommended setting in the case where the adversary gets to see many RLWE samples [3]; (3) For parameters of several of the Crockett and Peikert challenges, including those classified as "very hard." In all the above cases, we fully recover the RLWE secret with high probability, given the corresponding 1/4-fraction of the positions in the NTT transform of the RLWE secret. See Section 3.2 for details on the experimental results.
A search-to-decision reduction.

Applications.
The Leaky R-DLWE assumption is a useful tool for analyzing the security of RLWE-based cryptosystems subject to partial key exposure, and guaranteeing a graceful degradation in security. In particular, the Leaky R-DLWE assumption was used to analyze the NewHope protocol of [7] in the ePrint version of this paper [14].
The assumption is applicable to schemes in which the RLWE assumption is used to guarantee that a certain outcome is high-entropy (as opposed to uniform random), such as NewHope without reconciliation [6].

Practicality of our attack.
We note that an attack on Leaky R-SLWE yields an attack on standard search R-LWE by guessing each possible leakage outcome, running the Leaky R-SLWE attack and checking correctness of the recovered secret. Therefore, we believe this line of research is interesting beyond the context of leakage resilience, since if the attack can be made to work successfully for sufficiently low leakage rate (far lower than the 1/4-leakage rate of our attacks), then one could potentially obtain an improved attack on standard search R-LWE. We chose to consider partial exposure of the NTT transform of the R-LWE secret, since in practical schemes the secret key is often stored in the NTT domain and certain types of side-channel attacks allow recovering large portions of the secret key stored in memory. E.g., in their analysis of "cold boot attacks" on NTT cryp-1 Search R-LWE can be solved given a subroutine that solves Leaky R-SLWE by first guessing the leakage on s, then running the Leaky R-SLWE attack. Thus, by guessing the value of the single leaked position we obtain a Tn(n) · q-time attack on search R-LWE without leakage. 2 Otherwise for every n 1 ∈ N, there exists an n 2 ≥ n 1 such that Tn 2 (n 2 ) < 2 c ′ . tosystems, Albrecht et al. [4] considered bit-flip rates as low as 0.2%. However, the highly structured leakage required for our attack is unlikely to occur in a practical leakage setting such as a "cold boot attack," where one expects to recover the values of random locations in memory. We leave open the question of reducing the structure of the leakage in our attack. Specifically, as a starting point it will be interesting to see if our attack can extend to leakage patterns of n ′ = 16, |S| = 4 or n ′ = 32, |S| = 8, etc. While the leakage rate remains the same (1/4) in each case, these patterns capture leakage that is less and less structured, since at the extreme, one can view leakage of a random 1/4-fraction of the NTT coordinates as an instance of Leaky R-SLWE with parameters n ′ = n and |S| = n/4.³

Comparison with Concurrent Work of Bolboceanu et al. [9]
One of the settings considered by [9] is sampling the RLWE secret from an ideal I ⊆ qR. It is straightforward to see that sampling the RLWE secret uniformly at random from Rq and then leaking the NTT coordinates i such that i = α mod 2n ′ is equivalent to sampling the RLWE secret from the ideal I that contains those elements whose NTT transform is 0 in positions i such that i = α mod 2n ′ . Nevertheless, our decisional assumption is weaker than the assumption of [9], since [9] require that the entire vector u be indistinguishable from uniform random, whereas we only require that the NTT transform of u is indistinguishable from uniform random at the positions i that are not leaked. Our assumption lends itself to a search-to-decision reduction while the assumption of [9] does not. While [9] do provide a direct security reduction for their decisional assumption, the required standard deviation of the error (in polynomial basis, tweaked and scaled by q) is ω(q 1/n ′ · n 3/2 ), which would be far higher than the noise considered in the NewHope and RLWE Challenges settings. In contrast, our assumption can be applied in practical parameter regimes and is sufficient to argue the security of several practical cryptosystems under partial key exposure.
Finally, we compare our attack to that of [9]. For fixed n, q, our attack works for noise regimes that are not covered by the attack of [9]. For example, for NewHope settings of n = 1024, q = 12289, the attack of [9] has success rate at most 1/1000 when the standard deviation of noise distribution is less than 0.00562. ⁴ In contrast, our attack works (with success ranging from 82/200 to 2/1000) when the standard deviation of the noise is √ 8 ≈ 2.83.⁵ Our attack applies only for certain leakage patterns corresponding to certain ideals I, whereas the attack of [9] works for any ideal. The techniques of the two attacks are entirely different. [9] obtain a "good" basis for the ideal via non-uniform advice, perform a change of basis and then use Babai's roundoff algorithm to solve the resulting BDD instance. We use the algebraic structure of the problem to convert RLWE instances over high dimension into CVP instances over constant dimension n ′ . We then exactly solve the CVP instances over constant dimension and determine the "high confidence" solutions that are likely to be the correct values of the RLWE error. Assuming all high confidence solutions are correct, we obtain a noiseless system of linear equations w.r.t. the RLWE secret, allowing efficient recovery of the secret.

Related Work
Leakage-resilient cryptography.
The study of provably secure, leakage-resilient cryptography was introduced by the work of Dziembowski and Pietrzak in [19]. Pietrzak [29] also constructed a leakage-resilient stream-cipher. Brakerski et al. [11] showed 3 We thank an anonymous reviewer for bringing this research direction to our attention. 4 Note that [9] provides an upper bound of norm of error with respect to canonical basis for its attack to succeed. Using a variant of Chernoff's bound, we derive an upper bound of standard deviation of error for success rate at most 1/1000. To make the bound comparable to NewHope setting, we further convert to tweaked polynomial representation and to RLWE instance in the form of (as + e) instead of (as/q + e). 5 √ 8 is the more conservative setting in the original NewHope specification [7]. The NIST submission uses lower standard deviation of 2, which is still not covered by the attack of [9]. how to construct a scheme secure against an attacker who leaks at each time period. There are other works as well considering continual leakage [17,22]. There are also work on leakage-resilient signature scheme [10,21,27].

Leakage-resilience and Lattice-based Cryptography.
Goldwasser et al. [20], and subsequently [2,16,18] studied the leakage resilience of standard LWE based cryptosystems in the symmetric and public key settings.

Leakage Resilience of Ring-LWE.
Dachman-Soled et al. [13] considered the leakage resilience of a RLWE-based public key encryption scheme for specific leakage profiles. This was followed by Albrecht et al. [4], they investigated cold boot attacks and compared the number of operations for implementing the attack when the secret key is stored as polynomial coefficients versus when encoding of the secret key using a number theoretic transform (NTT) is stored in memory. Recently, [30] showed that given multiple samples of RLWE instances such that the public key for every instance lies in some specific subring, one can reduce the original RLWE problem to multiple independent RLWE problems over the subring. In this work we do not place any such restriction on the RLWE samples required to mount partial key exposure attack.

Preliminaries
For a positive integer n, we denote by [n] the set {0, . . . , n − 1}. We denote vectors in boldface x and matrices using capital letters A. For vector x over R n or C n , define the ℓ 2 norm as ‖x‖ 2 = ( . We write as ‖x‖ for simplicity. We use the notation ≈ t(n),p(n) to indicate that adversaries running in time t(n) can distinguish two distributions with probability at most p(n).
We present the background and standard definitions related to lattices, algebraic number theory, RLWE, and NTT transform in Appendix A.

Reconstructing the secret given (α mod 8) leakage.
Recall that for p ∈ Zq[x]/(x n + 1), the NTT transform,̂︀ p, is obtained by evaluating p(x) mod q at the powers We may assume WLOG that α = 1. We abbreviate notation and write pu, instead of p 1 u .
We consider attacks in which the adversary learns all coordinates i of̂︀ s such that i ≡ 1 mod 2n ′ where n ′ ∈ {1, 2, 4, 8, . . . , n}, and aims to recover the RLWE secret s. First, we note that in NTT transform notation the equation̂︀ a ·̂︀ s +̂︀ e =̂︀ u holds component-wise. Therefore, given leakage on certain coordinates of̂︀ s, we can solve for the corresponding coordinates of̂︀ e. We also get to see multiple RLWE samples (which we write in matrix notation-where the A j matrices are the circulant matrices corresponding to the ring element a j 's) as (A 1 , Thus, for the j-th RLWE sample we learn all the coordinateŝ︀ e j i , for i ≡ 1 mod 2n ′ . Note that the leaked coordinates are the evaluation of the polynomial eu(x) at the ω i for i ≡ 1 mod 2n ′ . We can then reconstruct the polynomial eu(x) using Lagrange Interpolation. For i ∈ {0, . . . , u − 1}, the (i + 1)-st coefficient of eu(x), i.e. e u,i is equal to The coefficients of e can be partitioned into u groups of size n ′ , forming independent linear systems, each with n ′ variables and one equation. Given only the leakage, the set of feasible secret keys is a cartesian product S 1 × · · · × Su, where for i ∈ [u], the set S i is the set of vectors e i := {e i , e i+u , e i+2u , . . . , e i+(n ′ −1)u } that satisfy the i-th linear system: Since each coordinate of e is drawn independently from χ and since each linear system above has small dimension n ′ , we can use a brute-force-search to find the most likely solution and calculate its probability. Given this information, we will carefully choose the solutions e j i (from all possible sets of solutions [e j i ] j∈[ℓ],i∈ [u] ) that have a high chance of being the correct values of the RLWE error. To obtain a full key recovery attack, we require the following: (1) In total, we must guess at least u number of n ′ -dimensional solutions, ,i∈ [u] ; (2) With high probability all our guesses are correct. Observe that if our guess of some e j i is correct, we learn the following linear system of n ′ equations and n variables So assuming (1) and (2) hold, we learn u noiseless systems of n ′ linear equations, each with n = u · n ′ number of variables. We then construct a linear system of n variables and n equations, which can be solved to obtain the candidate s.
In order to ensure that (2) holds, we only keep the guess for e j i when we have "high confidence" that it is the correct solution. The probability of a particular solution e j i : , is the ratio of the probability of e j i being drawn from the error distribution (which is coordinate-wise independent) over the sum of the probabilities of all solutions. For small dimension n ′ , this can be computed via a brute-force method. In our case, we keep the highest probability solution when it has probability at least, say 0.98. The probability that all guesses are correct is therefore 0.98 u = 0.98 n/n ′ . Since computing the exact probability as above is computationally intensive, we develop a heuristic that performs nearly as well and is much faster. Note that finding the "most likely" solution is equivalent to solving a CVP problem over an appropriate n ′ -dimensional lattice. We then calculate the probability of the solution under the discrete Gaussian and set some threshold . If the probability of the solution is above the threshold we keep it, if not we discard it. Experimentally, we show that by setting the threshold correctly, we can still achieve high confidence. See Figure 1 for the exact settings of the threshold for each setting of parameters. Our experiments also show that (1) also holds given a reasonable number of RLWE samples. See Section 3.2 for a presentation of our experimental results. We describe our attack in cases where the leakage is on all coordinates i such that i ≡ α 1 mod 2n ′ or i ≡ α 2 mod 2n ′ in Appendix B.1.

Complexity of the attack.
We provide the pseudocode for the attack in Appendix D, Figure 3. While our attack works well in practice, we do not provide a formal proof that our attack is polynomial time for a given setting of parameters. Within the loop beginning on line 5, all the steps (or subroutines) shown in Figure 3 can be computed in polynomial time. Note that even step 12 (CVP.closest_vector), which requires solving a CVP instance, can be computed in polynomial time because for the leakage patterns we consider, the dimension of the CVP instance will always be either 4 or 8-a constant, independent of n. However, our analysis does not bound the number of iterations of the loop beginning on line 5. Specifically, we do not analyze how large the variable RLWESamples must be set in order to guarantee that the attack is successful with high probability. Bounding this variable corresponds to bounding the number of RLWE samples needed in order to obtain a sufficient number of "high confidence" solutions. In practice, the number of RLWE samples was always fewer than 200 for all parameter settings. In future work, we plan to compute the expected number of RLWE samples needed to obtain a sufficient number of high confidence solutions for a given parameter setting. Assuming this expected number of samples is polynomial in n, we obtain an expected polynomial time attack.

Experimental Results
We first assess the performance of our attack on the RLWE challenges published by Crockett and Peikert [12], with various parameters, ranging from "toy" to "very hard" security levels. For each parameter setting, a cutand-choose protocol was used by [12] to prove correctness of the challenges: They committed to some number (e.g. N = 32) of independent RLWE instances, a random index i was chosen, and the secret key for all except the i-th instance was revealed. For each of the 31 opened challenges, we simulate the Leaky RLWE experiment and attempt to recover the full secret s using our attack. We next measure the performance of our attack on RLWE instances generated using the dimension, modulus and noise distribution proposed in the original NewHope scheme [7]. These parameters are more conservative than the ones chosen for the later submission to the NIST competition [5]. When multiple RLWE samples are released, bounded error distributions are less secure [3]. We therefore tested our attack in the more difficult setting of Gaussian error, in addition to the original binomial error distribution of [7]. The experiments were run using server with AMD Opteron 6274 processor, with a python script using all the cores with Sage version 8.1. We used fplll [15] library for CVP solver and the source code of all the attacks are available online at [1]. The results of our attacks are summarized in Figure 1. We report the total number of instances we broke and the average number of RLWE samples needed for those instances. To decide whether a solution is kept or discarded, its probability mass under the error distribution χ is calculated and compared to the threshold. The threshold for each parameter setting is set heuristically so that minimal weight solutions passing the threshold are correct with high confidence (see Figure 1 for the exact threshold settings). We tested leakage patterns of (n ′ = 4, S = {1}), (n ′ = 8, S = {1, 7}) and (n ′ = 8, S = {1, 15})-all corresponding to 1/4-fraction leakage-for each parameter setting and were able to break multiple Leaky RLWE instances for every parameter setting/leakage pattern shown in Figure 1. We also report the maximum time it took to break a single instance for each parameter setting in Figure 1. Overall, the maximum amount of time to break a single instance was 6 hours for the hardest instance, i.e. Challenge ID 89. We attempted to launch our attack given only 1/8-fraction of leakage (leakage pattern (n ′ = 8, α = 1)), but were only successful for the easiest case, i.e. Challenge ID 1. For, e.g. Challenge ID 89, the attack failed since for 5000 number of linear systems, the maximum confidence of any solution was 0.28, meaning that we expect to recover the secret key with probability at most 0.28 2048 Figure 1: Performance of attack against RLWE Challenges [12] and NewHope [7] parameter settings. For each parameter setting, we report the following: min/max and average number of RLWE samples required for successful break, total number of broken instances, and max run-time (in seconds) for successful break. Threshold is set such that the minimal weight solutions to the linear systems given in Section 3 have high confidence with suflciently high probability.

Search and Decisional Ring-LWE with Leakage
chosen uniformly random, otherwise.

Search to Decision Reduction With Leakage
Let the RLWE secret be denoted byŝ and assume WLOG that there exists an adversary that obtains leakage [ŝ i ] i≡1 mod 2n ′ and distinguishesû =â·ŝ+ê fromû ′ , whereû i =â i ·ŝ i +ê i for i ≡ 1 mod 2n ′ and otherwise is uniform random⁶. It is not hard to see, using techniques of [23][24][25], that this implies an attacker that learns a single index j ∈ Z * 2n , j ≡ b mod 2n ′ of the RLWE secret, where b / ≡1 mod 2n ′ . We call this the Basic Attack. Due to limited space, we refer readers to Appendix C for description of Basic Attack. ,S with probability p := p(n), then there is some index j such that j ≠ α ′ mod n for all α ′ ∈ S and an attack Basic Attack with parameters (n ′ , S, j, t, p), that learns NTT coordinateŝ j with probability 1 − 1/poly(n) and takes time poly(n) · t · 1/p. i ] i≡b mod 2n ′ in the first round, then apply an automorphism to shift the positions i ≡ b 2 mod n ′ into the positions i ≡ b mod 2n ′ , resulting in a permuted RLWE secret, denotedŝ 2 . Note that applying the automorphism causes the positionsŝ 1 i such that i ≡ b mod n ′ to shift into the positions i ≡ 1 mod 2n ′ . This means that we are now back where we started, and the reduction is now able to provide the required leakage (on [ŝ 2 i ] i≡1 mod 2n ′ ) to the adversary and thus can learn the val- 3 mod n ′ in the third iteration, etc. We next formalize the necessary properties of the automorphisms.

Definition 5.2
A probability distribution ψ : Z(ζm) → R is automorphically closed in K if for all i, j ∈ Z * m , ϕ i→j (ψ) = ψ. 6 Note that the problem is identical when the adversary obtains leakage [ŝ i ] i≡α mod 2n ′ , for α ∈ Z * 2n ′ since, as we shall see next, an automorphism can be applied to shift all indices i such that i ≡ α mod 2n ′ to positions i ≡ 1 mod 2n ′ .
Assume subexponential 2 Ω(n ϵ ) -hardness of search RLWE without leakage for some constant ϵ ≤ 1 and polynomial modulus q. Then we also have that Tn(n) ∈ 2 Ω(n ϵ ) , and as discussed in the intro, there must exist a constant c ′ such that for sufficiently large n, there exists n * = n * (n) ∈ {2, 4, 8, 16, . . . , n} such that T n * (n) ≥ 2 c ′ (n ϵ ) and T n * (n) T n * /2 (n) ≥ n. The above implies that T (n * /2) ∈ o(T n * ). Now, if given [ŝ 1 i ] i≡1 mod 2n * leakage, there exists a (t(n), p(n))-distinguishing adversary (where t(n) = √︀ T n * /poly(n) and p(n) = 1/ √︀ T n * ), then we will show that there is an adversary solving the R-SLWE w.h.p. given positions [ŝ 1 i ] i≡1 mod 2n * in time less than T n * , leading to contradiction. We begin by running Attack 1, which takes time at most o(T n * ) for our settings of t(n) and p(n). If b ∈ Z * 2n * is such that for some r ∈ [n * /2], b r ≡ n * + 1 mod 2n * , then we can combine the reconstructed values ofŝ 1 i from Attack 1 with our knowledge of [ŝ 1 i ] i≡1 mod 2n * to obtain all values [ŝ 1 i ] i≡1 mod n * . This means that we can then run the search attack for 2/n * -fraction of leakage to recover all ofŝ in time T (n * /2) ∈ o(T n * ). But then the entire attack for (1 mod 2n * )-leakage can be run in time o(T n * ), contradicting the definition of T n * . For n * > 4, the only cases in which Attack 1 does not recover [ŝ i ] i≡n * +1 mod 2n * , is when b ∈ {n * − 1, 2n * − 1}. For such b, we do not know how to rule out the possibility that given [ŝ i ] i≡1 mod 2n * , the positions i ≡ b mod 2n * ofû do not look random. In this case, however, we argue that given leakage on both [ŝ i ] i≡1 mod n * , and [ŝ i ] i≡b mod n * , all other positions are indistinguishable from random, since otherwise a modified version of Attack 1 can be run. We next state the formal theorem of this section.
Case 1: b is such that b r ≡ n * + 1 mod 2n * for some r ∈ [n * /2]. In this case, with appropriate setting of poly(n), we can use Attack 1 to recover the positions i such that i ≡ n * + 1 mod 2n * (w.h.p.) in time o(T n * ). Now we can run the attack that takes as input [ŝ i ] i≡1 mod n * and recovers all ofŝ. By assumption, this attack runs in time T (n * /2) ∈ o(T n * ). Thus, we can to recover the wholeŝ (w.h.p. greater than 1/2) in time o(T n * ), which is a contradiction.
We can combine this with the previous attack as follows:

A.1 Algebraic Number Theory
For a positive integer m, the m th cyclotomic number field is a field extension K = Q(ζm) obtained by adjoining an element ζm of order m (i.e. a primitive m th root of unity) to the rationals.

Ring of Integers R and Its Dual R ∨
Let R ⊂ K denote the set of all algebraic integers in number field K defined above. This set forms a ring (under the usual addition and multiplication operations in K), called the ring of integers of K. An (integral) ideal I ⊆ R is a non-trivial (i.e. I ≠ ∅ and I ≠ {0}) additive subgroup that is closed under multiplication by R, i,e., r · a ∈ I for any r ∈ R and a ∈ I.
where p runs over all odd primes dividing m. Also, define t =m g ∈ R, wherem = m 2 if m is even, otherwisem = m.

A.2 Ring-LWE
We next present the formal definition of the RLWE problem as given in [26].
Definition A.2 (RLWE Distribution) For a "secret" s ∈ R ∨ q (or just R ∨ ) and a distribution χ over K R , a sample from the RLWE distribution As,χ over Rq × (K R /qR ∨ ) is generated by choosing a ← Rq uniformly at random, choosing e ← χ, and outputting (a, b = a · s + e mod qR ∨ ).

Definition A.3 (RLWE, Average-Case Decision)
The average-case decision version of the RLWE problem, denoted R-DLWEq,χ, is to distinguish with non-negligible advantage between independent samples from As,χ, where s ← R ∨ q is sampled uniformly at random, and the same number of uniformly random and independent samples from Rq × (K R /qR ∨ ).

A Note on the Tweak.
In [8], Alperin-Sheriff and Peikert show that an equivalent "tweaked" form of the Ring-LWE problem can be used in cryptographic applications without loss in security or efficiency. This is convenient since the "tweaked" version does not involve R ∨ . The "tweaked" ring-LWE problem can be obtained by implicitly multiplying the noisy products b by the "tweak" factor t, and, as it is explained in [8], where a, s ′ = t · s ∈ Rq, and the errors e ′ = t · e come from the "tweaked" error distribution t · χ. Let e α u (x) be the degree u = n/n ′ polynomial that is obtained by taking e(x) modulo x u −(ω α ) u . We consider two polynomials e α1 u (x) and e α2 u (x). We may assume WLOG, α 1 = 1. We therefore set α := α 2 . For i ∈ {0, . . . , u −1}, the (i + 1)-st coefficient of eu(x) and e α u (x) are as follows, respectively e i + ω u · e i+u + ω 2·u · e i+2·u + . . . + ω (n ′ −1)·u · e i+(n ′ −1)·u e i + ω α·u · e i+u + ω α·2·u · e i+2·u + . . . + ω α·(n ′ −1)·u · e i+(n ′ −1)·u Similar to the previous attack, we obtain the following constraints on the error, given leakage on the secret key and an RLWE sample,

[︃
1 ω u ω 2·u · · · ω (n ′ −1)·u 1 ω α·u ω α·2·u · · · ω α·(n ′ We solve a corresponding CVP instance to find the "most likely" solution, e i for (e i , e i+u , e i+2·u , . . ., e i+(n ′ −1)·u ), since the "most likely" solution is the one with smallest norm. Similar to our previous attack, our goal is to carefully choose the answers with "high confidence" such that (1) In total, we must guess at least u number of n ′ -dimensional solutions, e j i , from all the obtained solutions [e j i ] j∈[ℓ],i∈ [u] ; (2) With high probability all our guesses are correct. We choose the candidate which has probability of at least, say, 0.95 of being correct solution. The total probability of success for this case is 0.95 u = 0.95 n/n ′ . Our experiments in section 3.2 again show that we can obtain enough "high" confidence solutions, without requiring too large a number of RLWE instances.

C Description of Basic Attack
In this section, we present the Basic Attack, following the description from [23][24][25] and using the fact that NTT coefficients form a CRT representation. We first recall definition of CRT representation in our setting of parameters.

Partial Key Exposure Attack
Given leaked coordinates on NTT version of secret keŷ︀ s, public key a and a public value b, recover all coordinates of s