Questions tagged [newhope]

NewHope is a KEM based on the presumed hardness of the RLWE problem. New Hope did not select for the 3rd round of NIST PQC.

NewHope is a KEM based on the presumed hardness of the RLWE problem.

At its core is Regev’s original idea for public-key encryption from plain LWE but specialized to a power-of-2 cyclotomic ring structure, enabling smaller ciphertext and key sizes as well as fast computations via NTT.

CCA security is achieved by a standard flavor of Fujisaki-Okamoto transform and is supported by proofs in the classical and quantum random oracle models.

Among all LWE-based lattice submissions, NewHope (and other RLWE schemes) can be viewed as the most structured, with MLWE being an intermediately structured case and plain LWE being the least structured case.

New Hope did not select for the 3rd round of NIST PQC.

Ref: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process

11 questions

votes

1 answer

Is the "New Hope" Lattice Key Exchange vulnerable to a lattice analog of the Bernstein BADA55 Attack?

In the paper, "Post Quantum Key Exhange - A New Hope," the authors present a lattice-based key exchange based on the work of Chris Peikert. In this "New Hope" key exchange the authors try to gain security by having the basepoint for the key…

asked May 21 '16 at 15:00

Andrea Russo

votes

0 answers

Differences between “NewHope” and “NewHope-simple”

The well-known paper described a key exchange (KE) scheme named "NewHope" on USENIX 2016. The authors then proposed "NewHope-Simple" - a PKE/KEM scheme. They also submitted "NewHope for NIST" - variation of "NewHope-Simple" to the NIST PQC…

key-exchange post-quantum-cryptography lattice-crypto newhope

asked Mar 11 '19 at 10:33

Zachary

votes

1 answer

Converting NewHope/LWE key exchange to a Diffe-Hellman-like algorithm

By a “Diffe-Hellman-like” algorithm, I mean one that has the same API as Curve25519, etc (disregarding trivial differences such as the size of parameters): a function $$F: (P_\text{other}, S_\text{self}) \rightarrow \text{Shared secret}$$ where…

post-quantum-cryptography lattice-crypto newhope

asked Jun 10 '17 at 04:55

Demi

4,853
1
22
40

votes

1 answer

NewHope and NIST's Post-quantum standardization

Where can I find NIST's reasoning to eliminate NewHope from the 3rd round of the post-quantum competition? I see all the lattice KEMs finalists are based on modules. Is being a ring-based KEM contributed to their elimination? In this case, is there…

lattice-crypto nist lwe ring-lwe newhope

asked Oct 10 '20 at 09:18

Rick

1,305
8
17

votes

1 answer

Number of LWE samples in NewHope

This is regarding the number post-quantum key exchange protocol New-Hope (https://eprint.iacr.org/2015/1092.pdf). In the paper, we can see that the number of samples generated by the protocol is $2n$ where $n$ is $1024$, the rank of matrix $a$. Once…

key-exchange post-quantum-cryptography lwe newhope

asked Mar 30 '17 at 13:40

Rick

1,305
8
17

votes

1 answer

Differences between NewHope-CPA-KEM and NewHope-CCA-KEM

According to the web page for NewHope, an R-LWE post-quantum key encapsulation mechanism (KEM) candidate for standardization, it comes in types that are IND-CPA or IND-CCA secure. I know what CPA and CCA security are, but I don't understand the…

post-quantum-cryptography chosen-plaintext-attack chosen-ciphertext-attack kem newhope

asked Dec 30 '18 at 11:14

forest

15,626
2
49
103

votes

1 answer

NTRU Backdoor and NewHope TLS Protocol

The pre-print, Unstructured Inversions of NewHope was posted yesterday and uses a backdoor method against NTRU to claim that Grover's algorithm and an inversion oracle could be applied to NewHope. My question is whether the backdoor from the…

ntru backdoors decryption-oracle newhope

asked Aug 18 '16 at 23:08

floor cat

votes

1 answer

Module LWE with an even modulus

Does module-LWE remains hard for an even modulus $q$, or a power of two? This is true for Ring-LWE (pseudorandomness) and Module-LWR (SABER). I can't find any reference to it!

lwe ring-lwe newhope

asked Feb 02 '21 at 12:15

C.S.

vote

1 answer

CECPQ1 key exchange functionality

CECPQ1 (combined elliptic Curve and Post-Quantum Cryptography Key Exchange) is a new key exhange developed by google, which combine X25519 with NewHope (elliptic Curve KE + Post-quantum KE). Google has implemented CECPQ1 in boringSSL But there…

elliptic-curves key-exchange post-quantum-cryptography newhope

asked Oct 13 '17 at 16:05

Omar

vote

1 answer

What is the purpose of adding secondary error to calculated key in BCNS and NewHope protocols

The answer to this question might be trivial or very short, but I would like to ask it anyway. In both BCNS and NewHope Ring-LWE key-exchange protocol one party adds a secondary error to their calculated key. What is the reason? Is it just to…

lattice-crypto lwe newhope

asked Feb 20 '17 at 00:02

Node.JS

votes

0 answers

Binomial distribution sampling - concrete example

Can anyone give me an explicit example of how one can samples from the binomial distribution defined in NewHope's paper? What is the difference of sampling from rounded Gaussian in practice?

lwe ring-lwe newhope

asked Jul 24 '20 at 20:19

C.S.