Abstract
Abstract The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems, such as the Regev and Dual-Regev encryption schemes as well as their leakage-resilient counterparts. The LHL does not hold in the ring setting, when the ring is far from a field, which is typical for efficient cryptosystems. Lyubashevsky et al. (Eurocrypt ’13) proved a “regularity lemma,” which can be used instead of the LHL, but applies only for Gaussian inputs. This is in contrast to the LHL, which applies when the input is drawn from any high min-entropy distribution. Our work presents an approach for generalizing the “regularity lemma” of Lyubashevsky et al. to certain conditional distributions. We assume the input was sampled from a discrete Gaussian distribution and consider the induced distribution, given side-channel leakage on the input. We present three instantiations of our approach, proving that the regularity lemma holds for three natural conditional distributions.
Highlights
The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems
We prove a “regularity lemma” for three conditional distributions, which we describe
We present a general approach for analyzing the leakage resilience of RLWE-based cryptosystems, by determining and analyzing the explicit probability density function (PDF) resulting from the conditional distribution of the RLWE secret given the leakage
Summary
The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems. Lyubashevsky et al [25, 26] proved a “regularity lemma” showing that the distribution over al+1 as above is (close to) uniform random, even given a2, . The regularity lemma of [25] implies nothing about uniformity of al+1 in the case that x is a high min-entropy input from another distribution. In this case Φm(x) completely splits into n factors in Zq[x] This is the setting favored in practice since it allows for optimizations in the implementation, such as fast arithmetic over the ring Rq. A Ring Analogue of the LHL. Rq such as the above, a result analogous to the leftover hash lemma—proving that aixi is indistinguishable from random, given a2, . The fundamental technical question we consider in this work is: For which distributions
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
