#LTQI
———
¹ apparently saying “competition” is discouraged
#LTQI
The ring here is ℤ/pℤ with p Mersenne prime (p=2ⁿ-1). It was initially a simplification of the above schemes, but we couldn’t break it, so we proposed it.
#LTQI
Nice properties of arithmetics mod p
Reduction mod p is very easy.
HW(X+Y)≤HW(X)+HW(Y)
(HW:=Hamming weight)
HW(XY)≤HW(X)×HW(Y)
HW(Rp(X))≤HW(X)
Rp(X) = representent of X ∈[0,p-1]
X≠0⇒ HW(-X)=n-HW(X)
#LTQI
H=f/g [mod p], f and g contain few (≤h) 1s
H public key
f,g: private key
a,b random with few 1s
Encryption: C=±(aH+b)
Decryption: gC=±(af+bg): The number of 1s (small or big) tells you whether the bit is + or -
#LTQI
HW rules above allows to show that it works with small=≤2h², and big=≥n-2h²
#LTQI
Initially, we had fR+g=0, with R=-1/H. Nouw we move to T=fR+g, with R random. Public key is (T,R).
Enc/Dec: En/De-coding
Encryption;
C₁=aR+b₁
C₂=a T+b₂
E(m)=(C₁,C₂⊕(Enc(m))
Decryption (I guess):
C₂'=fC₁ which is almost C₂. #LTQI
But the above scheme is only secure against passive adversaries. He uses CCA-KEM encapsulation/decpasulation to get CCA security.
#LTQI
#LTQI
n=756839
low HW threshold h=256
The hidden problem is distinguish
(R₁, R₂, aR₁+b₁, aR₂+b₂) from (R₁, R₂, R₃, R₄) with a, b₁, b₂ of small HW
Best known attacks worse than 2^2h (classical) and 2^h (quantum)
#LTQI