# Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR

@article{Cheon2018LizardCO, title={Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR}, author={Jung Hee Cheon and Duhyeong Kim and Joohee Lee and Yongsoo Song}, journal={IACR Cryptol. ePrint Arch.}, year={2018}, volume={2016}, pages={1126} }

The LWE problem has been widely used in many constructions for post-quantum cryptography due to its reduction from the worst-case of lattice hard problems and the lightweight operations for generating its instances. The PKE schemes based on the LWE problem have a simple and fast decryption, but the encryption phase requires large parameter size for the leftover hash lemma or Gaussian samplings.

## 80 Citations

### Integer Module LWE key exchange and encryption: The three bears (draft)

- Computer Science, Mathematics
- 2017

This work proposes a new post-quantum key exchange algorithm based on the integer module learning with errors (I-MLWE) problem and suggests MLWE over a generalized Mersenne field instead of a polynomial ring.

### Module-LWE key exchange and encryption : The three bears

- Computer Science, Mathematics
- 2017

This work proposes a new post-quantum key exchange algorithm based on the module learning with errors (mLWE) problem and suggests mLWE over a generalized Mersenne field instead of a polynomial ring.

### Prey on Lizard: Mining Secret Key on Lattice-based Cryptosystem

- Computer Science, Mathematics
- 2018

This paper investigates the way to break Lizard by side channel attacks such as timing and fault attacks and proposes countermeasures to protect Lizard from these attacks.

### Efficient Identity-Based Encryption from LWR

- Computer Science, MathematicsICISC
- 2019

This work proposes the first probabilistic Identity-Based Encryption (IBE) from the LWR problem which is secure in the standard model and presents an efficient instantiation employing algebraic ring structure and MP12 trapdoor sampling algorithms with an implementation result.

### spKEX: An optimized lattice-based key exchange

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

The advent of large-scale quantum computers has resulted in significant interest in quantum-safe cryptographic primitives. Lattice-based cryptography is one of the most attractive post-quantum…

### Filianore: Better Multiplier Architectures For LWE-Based Post-Quantum Key Exchange

- Computer Science, Mathematics2019 56th ACM/IEEE Design Automation Conference (DAC)
- 2019

This work designs and implements specialized hardware multiplier units for both LWE and RLWE key exchange schemes to maximize their computational efficiency and shows that client-side energy-efficiency of LWE-based key exchange can be on the same order, or even better than RLWE- based schemes, making LWE an attractive option for designing post-quantum cryptographic suite.

### On the Hardness of the Computational Ring-LWR Problem and its Applications

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This work suggests that decisional R-LWR based schemes, such as Saber, Round2 and Lizard, which are among the most efficient solutions to the NIST post-quantum cryptography competition, stem from a provable secure design.

### Cryptanalysis of Compact-LWE

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

Dongxi Liu recently introduced a new lattice-based encryption scheme (joint work with Li, Kim and Nepal) designed for lightweight IoT applications, based on a variant of standard LWE called Compact-LWE, but is claimed to achieve high security levels in considerably smaller dimensions than usual lattICE-based schemes.

### IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited

- Computer Science, MathematicsCRYPTO
- 2018

To fully assess the post-quantum security, security analysis in the quantum random oracle model (QROM) is preferred, but current works either lacked a QROM security proof or just followed Targhi and Unruh’s proof technique and modified the original transformations by adding an additional hash to the ciphertext to achieve the Q ROM security.

### Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

Saber is introduced, a package of cryptographic primitives whose security relies on the hardness of the Module Learning With Rounding problem (Mod-LWR), and the design goals were simplicity, efficiency and flexibility.

## References

SHOWING 1-10 OF 79 REFERENCES

### Better Key Sizes (and Attacks) for LWE-Based Encryption

- Computer Science, MathematicsCT-RSA
- 2011

A new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff performs better than the simple distinguishing attack considered in prior analyses.

### A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

This paper proposes an efficient instantiation of a PKE scheme based on LWE with a sparse secret, named as spLWE, and provides a polynomial time reduction from LWE to exploit the sparsity of a secret key and derive more suitable parameters.

### Efficient Cryptosystems From 2k-th Power Residue Symbols

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2013

The Goldwasser-Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages.

### Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms

- Computer Science, MathematicsTCC
- 2016

The scheme is a combination of an asymmetric and a symmetric encryption scheme that are secure in a weak sense that is a slight modification of the Fujisaki-Okamoto transform that is secure against classical adversaries.

### NTRU: A Ring-Based Public Key Cryptosystem

- Computer Science, MathematicsANTS
- 1998

NTRU encryption and decryption use a mixing system suggested by polynomial algebra combined with a clustering principle based on elementary probability theory to create a new public key cryptosystem.

### Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

Despite conventional wisdom that generic lattices might be too slow and unwieldy, it is demonstrated that LWE-based key exchange is quite practical: the authors' constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7x, but remain under 12 KiB in each direction.

### Packed Ciphertexts in LWE-Based Homomorphic Encryption

- Mathematics, Computer SciencePublic Key Cryptography
- 2013

The Peikert-Vaikuntanathan-Waters (PVW) method of packing many plaintext elements in a single Regev-type ciphertext, can be used for performing SIMD homomorphic operations on packed ciphertext.

### Classical hardness of learning with errors

- Computer Science, MathematicsSTOC '13
- 2013

It is shown that the Learning with Errors (LWE) problem is classically at least as hard as standard worst-case lattice problems, and the techniques captured the tradeoff between the dimension and the modulus of LWE instances, leading to a much better understanding of the landscape of the problem.

### Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

- Computer Science, MathematicsEUROCRYPT
- 1999

A new trapdoor mechanism is proposed and three encryption schemes are derived : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA, which are provably secure under appropriate assumptions in the standard model.

### Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

- Computer Science, MathematicsEUROCRYPT
- 2011

This work shows how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields.