RLWE-based distributed key generation and threshold decryption ⋆

. Ever since the appearance of quantum computers, prime factoring and discrete logarithm based cryptography has been put in question, giving birth to the so called post-quantum cryptography. The most prominent field in post-quantum cryptography is lattice-based cryptography, protocols that are proved to be as difficult to break as certain difficult lattice problems like Learning With Errors (LWE) or Ring Learning With Errors (RLWE). Furthermore, the application of cryptographic techniques to different areas, like electronic voting, has also seen to a great interest in distributed cryptography. In this work we will give two original threshold protocols based in the lattice problem RLWE: one for key generation and one for decryption. We will prove them both correct and secure under the assumption of hardness of some well-known lattice problems and we will give a rough implementation of the protocols in C to give some tentative results about their viability.


Introduction
The appearance of the computer in the XXth century caused the explosion of cryptography, the safety of which enabled the huge development of the connected society.Similarly, the development of quantum computing and specifically Shor's algorithm [14], which renders cryptography based on the discrete logarithm and prime factoring problems effectively useless against a quantum adversary, spawned new types cryptography.
There are two main types developed to overcome the attacks of quantum computers: quantum cryptography and post-quantum cryptography.Quantum cryptography relies on quantum algorithms that cannot be broken by quantum adversaries, while post-quantum deals with classical (non-quantum) algorithms that cannot be broken by quantum adversaries.Although both are interesting in their own right, given that widespread usage of moderately powerful quantum computers seems unachievable in the short run, we focus in post-quantum cryptography.In this realm the area that has had more recent advancements is lattice-based cryptography, especially cryptography based in the Learning With Errors (LWE) problem and its variants, like Ring Learning With Errors (R-LWE), the variant which our proposals are built around.This is backed by the fact that in the Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process [1] most third-round finalists are latticebased schemes.
There are many applications of post-quantum cryptography, but the one we are involved with is electronic voting.However in electronic voting we have an added difficulty, and that is the lack of trust.Given that the lack of trust in other entities is what initially spawned the concept of cryptography, going further in this direction is the next logical step to follow.Therefore, what we want is to "spread" that trust, so that one single corrupt player can no longer mess up with the protocol.Distributed cryptography is this idea of spreading the tasks between several players so that only certain subsets of them can perform the cryptographic protocol.And this finally brings us to our main subject: R-LWEbased distributed key generation and threshold decryption.

State of the art
Despite the usefulness of and interest in lattice based threshold public key encryption cryptography, there are not many proposals, and even less that focus on the R-LWE problem.Most current proposals revolve around the LWE problem (for example [5], [6], [11] and [15]) which has the potential problem of keys and ciphertexts growing with O(n 2 ) instead of with O(n) like the R-LWE variant (with n the dimension of the lattice), thus having a high possibility to need a greater amount of operations and therefore computation time.In the world of threshold encryption based on R-LWE as far as we know there is only one proposal given in [16], which is based on the homomorphic properties of their Fully Homomorphic Encryption scheme.However, this proposal does not come with a distributed key generation protocol (they rely on a Trusted Third Party (TTP) for that) and as with all the other proposals, to the best of our knowledge there are no given implementations to truly analyze computation times.

Contributions
In this work we give original protocols of both distributed key generation and threshold decryption, that as far as we know are the first R-LWE based threshold protocols including both decryption and key generation.The protocols are based on the LWE proposal given by Bendlin and Damgård in [5], their ideas transported into the R-LWE setting.Furthermore, we prove these protocols both correct and secure, we give a set of parameters for which our protocols have more than 100 bits of security and we give a rough implementation in C of the protocols to analyze their performance.Most of this section has been taken from the introduction in the Master's Thesis [2] by Ferran Alborch Escobar.

Notation
Elements in R, Z or Z q will be indicated as lower case letters (a, b, . ..), while elements in R n , Z n or Z n q will be indicated as bold lower case letters (a, b, . ..).We will consider Z q with the representatives in − q 2 , q 2 .X ←− χ means X is sampled from a random variable following the distribution χ, Y ←− χ n means Y is a vector such that every coordinate independently follows the distribution χ and for any set J , j $ ← − J is the action of choosing j uniformly at random from J .We will also identify any polynomial of degree n − 1, f (x) = a 0 + a 1 x + . . .+ a n−1 x n−1 ∈ Z q [x] with the vector f = (a 0 , a 1 , . . ., a n−1 ) ∈ Z n q .Finally, a function g is said to be negligible over n (g := neg(n)) if ∀k ∈ Z >0 , ∃n 0 ∈ Z >0 such that ∀n ≥ n 0 , |g(n)| < 1 n k .

Cryptographic primitives
We will start by giving some cryptographic primitives, well-known definitions, protocols or techniques used in cryptography upon which we will build our encryption scheme and protocols.First we will properly define what an encryption scheme is.
Definition 1.An encryption scheme is a tuple S = (M, C, K, E, D) such that: -M is a set called plaintext space.
-C is a set called ciphertext space.
-K is a set called key space.Generally a key generation is also specified to generate k ∈ K. -E = {E k : k ∈ K} is a set of functions E k : M × R → C called encryption functions.R is a randomness space because some encryption protocols use random values.-D = {D k : k ∈ K} is a set of functions D k : C → M called decryption functions.
Note that if D and E use the same key, then we call it symmetric encryption, otherwise we call it asymmetric or public key encryption.In public key encryption K can be divided in two different sets, K s the secret key space and K p the public key space.The public key (known by all entities) is used to encrypt messages and the secret key (known only to the entity decrypting) is used to decrypt.
Once we have defined a cryptosystem we need to prove some properties about it, otherwise it would not be useful.The most important of these properties are correctness and security.Definition 2. Let (M, C, K, E, D) be an encryption scheme.The encryption scheme is said to be correct if for all e ∈ K p exists some computable d ∈ K s such that, given λ the security parameter, In contrast with correctness of an encryption scheme, security has many different ways in which it can be defined.This is due to the fact that a decryption should always be correct (or always except with negligible probability) but security depends on how is the adversary we want to protect us against (information available, computational power) and what we want to ensure (that the adversary cannot know what message was encrypted or that he cannot distinguish which message has been encrypted from a pool of plaintexts).In our case we are interested in CPA security.
Attack Game 1 (Attack Game 5.2 and 11.2, [7]).Let S = (M, C, K, E, D) be an encryption scheme.Given an adversary A, the Chosen Plaintext Attack (CPA) attack game, has two experiments, Experiment 0 and Experiment 1.For b ∈ {0, 1} we define Experiment b as: -The challenger chooses e $ ← − K p (and sends it to the adversary if we are in public key encryption).
-The adversary submits polynomially many queries to the challenger.For i = 1, 2, . .., A submits two same-length messages m 0i , m 1i ∈ M. The challenger computes c i = E e (m bi ) and sends it to the adversary.-The adversary outputs a bit b ∈ {0, 1}.
Let W b be the event in which A outputs 1 in the event b, then we define A's CPA advantage as: Definition 3 (Definition 5.2 and 11.4,[7]).An encryption scheme S is said to be CPA secure if for all efficient adversaries A, the value CPAAdv[A, S] is negligible.
Furthermore, security can be achieved against different types of adversaries depending on what capacities they have.We will focus basically in passive adversaries (also known as honest but curious), who can see all the information the corrupted players have but cannot make them deviate from the protocol, and active adversaries (also known as malicious), who can make the corrupted players deviate arbitrarily from protocol.

Distributed Cryptography
The specific branch of cryptography we are interested in this work is distributed cryptography.

Definition 4 ( [13]
).A threshold secret sharing scheme of threshold t and u players is a scheme such that given some data D it divides it into u pieces D 1 . . ., D u such that: -Knowledge of t + 1 or more pieces D i makes D easily computable.
-Knowledge of t or less pieces D i leaves D completely undetermined (i.e.all its possible values are equally likely).
Definition 5. We will call a threshold encryption scheme a secret sharing scheme where what we try to recover is a plaintext from a ciphertext.
One of the first secret sharing schemes and one of the most used still due to its simplicity to compute and understand, is Shamir Secret Sharing.We will use it profusely throughout our work.

Technique 2 ( [13]
). Shamir Secret Sharing over a field F of a secret s ∈ F of threshold t works as follows: -For every player P j , their share of the secret is f (i j ), with i j ∈ F being different for every player and agreed before-hand.-When t+1 players want to recover the secret they use Lagrange interpolation to find f (z) and then compute f (0).
The convenience of this secret sharing scheme lays in two main properties: the recovery of the secret is done through Lagrange interpolation (which is easy to compute) and the shares are linear, which means that a linear combination of the shares is a share of the linear combination of secrets.Both these properties will be used in our work.
Other distributed cryptographic tools we will use will be both the Pseudo-Random Secret Sharing (PRSS) and the Non-Interactive Verifiable Secret Sharing (NIVSS) techniques.These tools will be primordial in our proposal, since the security of our protocols is based on being able to mask the relevant information with noise in such a way that the adversary cannot retrieve it.To generate this noise we will use these two protocols.Definition 6.A Pseudo-Random Function (PRF), Φ • (•), is a deterministic function that maps two sets (domain and range) on the basis of a key, which when run multiple times with the same input gives the same output but given an arbitrary input the output seems random, i.e. one cannot distinguish the output of a given input from a random oracle.

Technique 3 ( [8]
). Pseudo-Random Secret Sharing in Z q ( PRSS) allows u players to non-interactively share a common random value x with a threshold of t players (t < u) given a pseudo-random function Φ • (•) that with input a key and a value µ outputs values in the interval I = [a, b], a < 0, b > 0 and whatever group of players of size less or equal than t cannot obtain relevant information on x.The algorithm works as follows: -For each subset H of t players a Trusted Third Party (TTP) defines a key K H ∈ Z q uniformly at random.-Each player P j is given K H , ∀H such that P j / ∈ H. -The pseudo-random number they are sharing is for a value µ.Since there are u t such subsets H, we know x ∈ [ u t a, u t b].-To compute x j a Shamir share of x every player computes where f H (x) is the unique degree-t polynomial such that f H (0) = 1 and f H (i) = 0 for all P i ∈ H.

Technique 4 ( [8]
). Non-Interactive Verifiable Secret Sharing in Z q ( NIVSS), allows a dealer D to share a secret s with u players with threshold t given a value µ and a pseudo-random function ϕ • (•) that with input a key and µ outputs values in the interval I = [a, b], a < 0, b > 0. It works very similarly to PRSS.The algorithm works as follows: 1.For each subset H of t players the dealer D chooses a key K H ∈ Z q uniformly at random.2. The dealer D gives to player P j all the K H such that P j / ∈ H. 3. The dealer D reconstructs the pseudo-random value the players share x = H ϕ K H (µ), since he has all the keys.4. D broadcasts the value s − x, and now all the players have a share of s by adding their shares of x to s − x.
Finally, since we will be using distributed methods, one must ensure that the order in which the different players send information does not compromise the security of the scheme, since, broadly speaking, the last player to send information would have an advantage respect the first one due to knowing more information when making its decision.To solve this problem it is standard to use commitment schemes.Definition 7 (Definition 8.8, [7]).Given a message space M, a commitment scheme is a pair of efficient algorithms C = (C, V ) where C is an algorithm that given m ∈ M outputs a commitment c and an opening string o and V is a deterministic protocol that given (m, c, o) outputs accept or reject; and such that it satisfies the following properties: -Binding: This property is the notion that once a commitment c is generated, it should only commit for one message in M. In particular, for every efficient adversary A that outputs (c, m 1 , o 1 , m 2 , o 2 ) we must have that is negligible over λ the security parameter.
-Hiding: This property is the notion that the commitment c alone should not reveal any information about the message m.To properly define this we use a semantic security attack game (see Attack Game 2.1, [7]) where instead of encrypting the messages we compute its commitment.What we ask is, if W b denotes the event that the adversary outputs 1 in experiment b, then

Ring Learning with Errors
The Learning with Errors (LWE) problem was introduced by Regev in 2005 in a previous version of [12] as a generalization of the parity learning problem, and gave both a cryptographic protocol based on it and a reduction of its security to a hard lattice problem (the GAPSVP).However, cryptosystems based on the LWE problem have several issues.For example, many of them need to encrypt bit by bit and primarily the public keys required are very costly to store since they are usually (big) matrices of elements in Z q .Coupling these two together we get that a lot of storage space is usually needed to encrypt small amounts of information.
To solve these problems, the Ring Learning with Errors variant was introduced by Lyubasevsky, Peikert and Regev in [9].It is essentially a particular case of LWE but in polynomial rings over finite rings.The problem is over the polynomial ring R q = Z q [x]/⟨f ⟩, where f is a polynomial in Z q [x].
Given an element a(x) ∈ R q , one can see the principal ideal generated by a(x) as an ideal lattice in Z n q .This correspondence is easy to see in the case f (x) = x n + 1 (the particular R q we will use given its specific properties) due to the fact that the vector of coefficients of the product of polynomials in R q can be found through the anticyclic matrix as follows where a = (a 1 , . . ., a n ) and b = (b 1 , . . ., b n ) are the coefficients of a(x) and b(x) respectively.With this out of the way we can finally define the Ring Learning With Errors problem, on which a lot of lattice-based cryptography is based.Definition 8. Let χ be a probability distribution over R q and s ∈ R q .Then the R-LWE distribution A s,χ is the distribution in R q ×R q given by (a, b = a•s+e), where a ∈ R q is chosen uniformly at random, e ←− χ and all the operations to compute b are made in R q .
Definition 9.The decisional R-LWE problem is to distinguish samples from A s,χ from the uniform distribution in R q × R q with a probability that is nonnegligibly bigger than 1  2 .
Definition 10.The search R-LWE problem is to find s given a polynomial amount of samples from A s,χ with non-negligible probability.
Therefore, a sample of the R-LWE distribution is a point of an ideal lattice that has been offset by a margin set by the distribution χ (which is normally taken such that the error is small).So the search R-LWE problem could be seen as finding a point in the ideal lattice L(a) (remember that a vector a uniquely defines an ideal lattice through its anticyclic matrix) "close" to the sample, and the decision R-LWE could be seen as given an ideal lattice L(a), decide whether the points given are all "close" to L(a) or are uniformly distributed.
When implementing LWE or R-LWE we will use a certain type of distribution over Z q called discrete Gaussians, given their nice properties and ease in sampling values from them.There are several different definitions of discrete Gaussians but in our implementation we will use the following, given it is much easier to sample.
Definition 11 ( [12] ).Ψ σ , σ ∈ R + is the distribution in T = R/Z obtained by sampling a Gaussian random variable X, X ∼ N (0, σ) and then reducing modulo 1. Therefore: where reducing modulo 1 is taking only the decimal part of any real number.

Definition 12 ( [12]
).The discretization to Z q , q ∈ Z >0 of any distribution in T (Ψ : T → R + ), noted as Ψ : Z q → R + is sampling from Ψ , multiplying by q, and then rounding to the closest integer.Therefore: for λ security parameter and some i ∈ Z >0 .Then we define the truncated Discrete Gaussian of parameters σ and κ as the distribution which samples from Ψ σ and rejects any sample bigger than κ, when seeing them with representatives in − q 2 , q 2 .

Encryption Scheme and Protocols
Having given all the necessary preliminaries, we can finally present our encryption scheme, threshold decryption protocol and distributed key generation protocol, which we will prove correct in Section 4, secure in Section 5 and analyze its implementation in Section 6.
We will use a version of the LPR encryption scheme presented in [9].
Encryption Scheme 5. Let q, n, u ∈ Z >0 , where u is the number of players, and χ be a distribution over R q .The encryption scheme S = (M, C, K, E, D) and key generation we will be using is the following: We will see every m ∈ M as an element in R q with m being its vector of coefficients.
-This is a public encryption scheme, we have K s ⊆ R q and K p ⊆ R q × R q .
• For any pair of keys (pk, s) ∈ K p × K s we will have s ←− u i=1 χ (meaning it is the sum of u samples of χ) and pk = (a where where we will recover every bit of m by rounding every coefficient of to 0 or ⌊ q 2 ⌋ (mod q) and then mapping 0 to 0 and ⌊ q 2 ⌋ to 1.

Decryption Protocol Inputs
Now we will define the Threshold Decryption Protocol based on this encryption scheme and a Distributed Key Generation protocol to work together with it.For clarity we use a TTP to generate the keys in the encryption protocol, however, what we are looking for is a totally distributed scheme, so we also define a Distributed Key Generation Protocol to take the place of the TTP in the threshold decryption protocol.Protocol 6.Let χ be a distribution over R q and Φ • (•) a pseudo-random function with image in I n D , being I D an integer interval.Then the Threshold Decryption Protocol works as follows: 1.A TTP generates the keys K H ∈ Z q for every subset H of players of size t and distributes them according to the PRSS technique.It also generates the secret key s ∼ u i=1 χ and the public key (a E , b E ) as stated in Encryption Scheme 5. Then the TTP sends to the players (a E , b E ) and Shamir shares of s.We call s j the Shamir share of s of player P j , understood as a Shamir share on the vector of coefficients of s. 2. Client receives ciphertext c = (u, v), and sends all players c.

Each player
⌋ with e, r E , e v , s, e u ∼ χ. 4. Each player P j computes x j , as in the PRSS protocol but using µ = u + v (since it changes for every message and it is hard to distinguish from uniformly at random), its Shamir share of x := H Φ K H (u + v) and gets x j + ẽj Shamir share of x + ẽ. 5. Client reconstructs x + ẽ for every allowed subset of t + 1 players, picks whichever value is repeated more times, then for every coefficient returns 0 if x + ẽ is closer to 0 than to ⌊ q 2 ⌋ and returns 1 otherwise, and this is made public.
See Fig. 1.For the key generation protocol we will assume a commitment scheme is used in the initial steps of interaction, when all the sampling is done and sent.
, where I KG is an integer interval.The Distributed Key Generation Protocol works as follows: 1.For the secret key s ∈ R q , each player P j chooses its contribution s j = (s 1j , . . ., s nj ) with s j ∼ χ.Then they act as the dealer in a NIVSS to share every s ij to all players.All players verify the value broadcast when doing the NIVSS ( ) is in the interval u t I KG .Now all players have shares of every s ij and by their linearity also of s i = j s ij .Then s is the polynomial in R q with coefficients (s 1 , . . ., s n ). 2. For the keys K H ∈ Z q that will be used for the PRSS in the threshold decryption, for every subset H of t players each player P j chooses uniformly at random K Hj ∈ Z q their contribution on these keys and shares it with all the players using Shamir secret sharing.Then the players will have, by adding all the shares received by other players, Shamir shares of K H = j K Hj .Finally all players send privately their shares on K H to all the players in A the complement of H, so they can recover K H . 3. For the contributions to e ∈ R q proceed identically to when generating s. 4. For a E ∈ R q every player P j chooses its share (a E,1 j , . . ., a E,n j ) randomly in R n q and does a Shamir share of it.Then all players send to all players their share on all the (a E,1 j , . . ., a E,n j ) so every player can recover (by adding the shares) j a E,1 j , . . ., j a E,n j .The polynomial in R q with these coefficients will be a E . 5. Every player computes locally their Shamir shares on b E = a E • s + e by performing these same operations with the shares they have on s and e. 6.Finally, the public key (a E , b E ) is made public.See Fig. 2 for a more detailed look into the steps of interaction needed.Note that we will denote with subindexes the additive contributions and with superindexes the Shamir shares.

Correctness
With all the preliminaries on hand and having defined both protocols we can now proceed to prove their correctness.We will give the proof for the case of a passive adversary in the Key Generation phase and an active (or passive) adversary in the Decryption phase, since this will be the case our implementation will use, the reasons for this decision will be explained in Section 6.1.The proof for the case where there is an active adversary during the Key Generation Protocol will be in Section A.1 of the Appendix.Theorem 8. Let n, q, u ∈ Z >0 , n = 2 β and u being the number of players.Let where , χ be a n-dimensional distribution obtained by n independent truncated Discrete Gaussian with parameters σ and κ and

. Key Generation Protocol
Then Protocol 6 will have correct output against an active static adversary corrupting up to t < u 3 players.
Proof.What we want to see first is that |x + ê| i ≤ q 4 ∀i, where • i notes the coefficient i on the polynomial, given the way the decryption works in Encryption Scheme 5.
Let ê = e • r E + e v − s • e u .Since the product in R q is done through the anticyclic matrix, we know that: and therefore, since r E , e v , e u ∼ χ and s, e ∼ u χ, where every coefficient of χ is truncated by κ, we get that Furthermore, given that there are u t keys K H , we know that Adding both results we then get that as we wanted to see.Finally, we just need to see that when the client reconstructs, there is indeed a majority of correct results, and this derives directly from having at most t corrupt players, therefore there will be a majority of subsets of t + 1 players where they are all honest, and thus output the correct decryption.
For the case where we combine both protocols, which means that we replace the TTP in Protocol 6 with Protocol 7, the outputs of this protocol and the TTP are equally generated for the case of a passive adversary in the Key Generation phase, since it cannot make any player deviate from the protocol.Therefore we can directly apply Theorem 8. Furthermore, the same theorem and proof is valid against a passive adversary corrupting up to t = u − 1 players, only noting that we will have all of the decryptions correct since a passive adversary cannot make any player deviate from the protocol.

Security
We will divide the proofs of security for the protocols into several theorems to ease the proofs.First we will prove the CPA security of Encryption Scheme 5 as a one-player scheme and then we will prove that no information is leaked when distributing the protocols.Finally we will add everything to prove the CPA security of both protocols used together.

Security of Encryption Scheme
We will split the proof of security of Encryption Scheme 5 in three distinct parts: reducing the security of the encryption scheme to the decisional R-LWE problem, reducing the R-LWE problem with the Ψ n distribution to the R-LWE problem with truncated discrete Gaussian, and finally reducing the decisional R-LWE problem to K-DGS, a well-known lattice problem assumed to be hard to solve.We will make this splitting because the first reduction will be for any distribution χ, while the second reduction will be specifically for the distribution Ψ n .The first reduction follows the ideas from the reduction of Regev's encryption scheme to LWE given in [12].For the detailed proof see Section B of the Appendix.
Theorem 9. Given χ a distribution over R q , there exists a reduction to the semantic security of the Encryption Scheme 5 from the decisional R-LWE χ problem.
Note that the reduction is to the semantic security of the scheme and not the CPA security.However it is well-known that in public key encryption both notions are equivalent (see for example Theorem 11.1 in [7]).
Secondly, we want to be able to insure that if we know how to solve an instance of the decision R-LWE problem with a truncated discrete Gaussian we can solve an instance of the decision R-LWE problem with the Ψ n distribution.This is clearly so given an instance of the decision R-LWE problem with the Ψ n distribution one can see it as an instance with the truncated discrete Gaussian distribution except for a negligible amount of times.Therefore the advantage of the adversary solving both instances will differ at most a negligible amount, thus getting what we needed.
Finally we need to see that our R-LWE instance is as hard to solve as a lattice problem, in our case as hard to solve as the Discrete Gaussian Sampling over K (K-DGS), where K is the field such that R is its ring of integers, in other words, R = O K .Thankfully, this job has already been done in [10], though to do so properly we need to give some clarifications about different ways to define the R-LWE distribution.
Let K be a number field with R its ring of integers.Let R ∨ be the fractional codifferential ideal of K (R ∨ = {x ∈ K | Tr(xR) ⊂ Z}), and let T R = K R /R ∨ .Let q ≥ 2 be an integer modulus.Let us unpack this.Firstly in our specific case of K being a cyclotomic field with n = 2 k for some case, we have R = Z[x]/⟨x n +1⟩, so in turn it can be seen that R ∨ is isomorphic to R. Secondly, K R = K ⊗ Q R which is isomorphic to R n , so looking it component by component T R could be seen as isomorphic to T n with T = R/Z.With this out of the way we can see their definition.Definition 14 (Definition 2.14, [10]).For s ∈ R ∨ q and an error distribution ψ over K R , the R-LWE distribution A s,ψ over R q × T R is sampled by independently choosing a $ ← − R q and an error term e ← ψ, and outputting (a, b = (a • s)/q + e mod R ∨ ).Now our postulate is that this definition taking as Ψ an n-dimensional spherical continuous Gaussian with parameter ξ (which is a distribution used in [10]) and then raising it to R q again, is a more general definition to our Definition 8 using Ψ ξ q , in the sense that if we can solve an instance of the R-LWE problem defined with the distribution in Definition 8 we can solve an instance of the R-LWE problem with the distribution in Definition 14.It can be seen as one, since a spherical Gaussian in R n can be seen as the product of n independent Gaussians over R with the same standard deviation.Then in essence what we are doing in Definition 14 is multiply a times s, then divide the result by q (which we can since we are seeing the elements in K R which is a field) and adding the error distribution.Then we reduce it modulo R ∨ thus landing in T R .Now if we look it component by component we have in essence computed a • s/q and then added to each component a sample of Ψ ξ q , so when raising it again to R ∨ q (by multiplying by q and rounding) we get that q(a • s/q) = a • s ∈ R ∨ q and to every component we have added an independent sample taken from Ψ ξ q .Therefore, if ρ n ξ is the spherical Gaussian with parameter ξ, given an adversary who solves R-LWE Ψ ξ q it is easy to give an adversary who solves R-LWE ρ n ξ .Therefore we can apply the following result from [10].
Lemma 1 (Corollary 7.3, [10]).There is a polynomial-time quantum reduction from K-DGS γ to the (average-case, decision) problem of solving R-LWE ρ n ξ using l samples with ξ = α nl log(nl) 1 4 , α > 0 and In conclusion, we have seen that breaking the security of Encryption Scheme 5 is at least as hard as solving the decision R-LWE problem with a truncated discrete Gaussian, which is at least as hard as solving the decision R-LWE problem with the Ψ n distribution, which in turn is at least as hard as solving the K-DGS problem.

Non-Leakage of Information
In this section we need to see that the adversary does not gain any extra information by interacting with the distributed protocol.We will start first with the Protocol 6, seeing that an adversary A cannot distinguish between interacting with the protocol or with random inputs.Furthermore, we will also give the adversary the ability to choose its shares of the secret key and the PRSS keys, since it makes the game easier and it only serves to see that the protocol's security is even stronger than what is usually required.
To appropriately do so we will need the following auxiliary lemmas about statistical distance, the proofs of which will be in Section B of the Appendix.
Lemma 2. Let Y be a probability distribution over Z such that |Y | is bounded by κ and X be a discrete uniform distribution in the integer interval [−a, a] with a ≥ κ • 2 λ .Then ∆(X, X) ≤ 2 −λ , where X = X + Y .Lemma 3. Let X, Y be two probability distributions over a countable support N such that ∆(X, Y ) ≤ 2 −λ , and n ∈ Z >0 with n = 2 β for some With these auxiliary lemmas we can go ahead and prove the adversary cannot distinguish between interacting with the protocol and random values.
Theorem 10.Assume that Φ • (•) is a secure pseudo-random function modeled as a random oracle, that the keys K H have been securely generated and distributed, that the secret key s has been securely generated and shared and that the parameters follow the conditions of Theorem 8. Then the Decryption Protocol (Protocol 6) is secure against a passive and static adversary, corrupting up to t = u − 1 players.
Proof.We want to construct an Attack Game in which the adversary cannot distinguish between the protocol executed correctly or with random values to show that the distribution does not leak anything about the secret key s nor the error e.
Let C denote the set of corrupted players and B the set of honest players.The Attack Game works as follows.Assume that the challenger knows the secret key s and the K H such that C ⊇ H (the keys that the adversary does not know) which have been securely generated.Assume that the challenger sends to the adversary A the ciphertext (u, v) and then A submits (s -If b = 1: The challenger computes for every H such that C ⊇ H some element r H ∈ I n D uniformly at random and we denote as y the polynomial in R q with vector of coefficients C⊉H Φ K H (u + v) + C⊇H r H . Then the challenger generates d ′ B consistent shares of y + m⌊ q 2 ⌋ (the challenger knows m since it can be computed using the protocol, given that everything needed is known) and outputs (d ′ B , m).
Finally A outputs b ∈ {0, 1}, meaning whether it thinks it has interacted with the protocol or with a simulation, and the Game concludes.
It is clear that m will be correct in both cases given the proof of Theorem 8, and furthermore, y + m⌊ q 2 ⌋ will be an effective "decryption" of m in the sense that every coefficient will be closer to 0 if m i = 0 and closer to ⌊ q 2 ⌋ if m i = 1, because Therefore we only need to see that d ′ B are indistinguishable whether they are computed with b = 0 or with b = 1.Let us see it.First of all, y and x are computationally indistinguishable to the adversary given the properties of pseudo-randomness of Φ • (•).We now want to see that the way y and y + e • r E + e v − s • e u = y + ê are distributed are at a negligible statistical distance.It is clear that y is distributed in the interval u t I n D (with u t values distributed uniformly in I D ) and as we have seen in the proof of Theorem 8 ê is in the interval [−2nuκ 2 + κ, 2nuκ 2 + κ] n .Therefore, since the distribution of every coefficient is identical and independent we have that by Lemma 2 ∆(y i , {y + ê} i ) ≤ 2 −λ−β and by Lemma 3 ∆(y, y + ê) ≤ 2 −λ so the distribution of y and y+ê are at a negligible statistical distance.Therefore, we get that y + m⌊ q 2 ⌋ and x + ê + m⌊ q 2 ⌋ are computationally indistinguishable.
Finally, adding it all together we get that the output (d ′ B , m) is computationally indistinguishable whether it has been computed with b = 0 or with b = 1, so as we wanted to see.
After Theorem 10 we have only seen that Protocol 6 is secure when the keys are securely generated and against a passive adversary corrupting t ≤ u − 1 players, but it is standard to see that the same protocol is secure against an active adversary corrupting t < u 3 players if instead of the client reconstructs m using the shares of all subsets of t + 1 players, since that will give a majority of correct outputs.
The reason behind this is that we have already seen that no information is leaked, so the only thing required is to see that the adversary cannot abort the protocol or cause an incorrect output.In case of an active adversary (who can cause players to deviate arbitrarily from the protocol), what is needed is that if all combinations of t + 1 players are decrypting the message, there needs to be a majority of combinations of t + 1 players with no corrupt players.This gives us that t < u 3 is enough.
Now we need to see that Protocol 7 leaks no information against an adversary corrupting up to t = u − 1 players.To do so we will once again see that the adversary cannot distinguish between interacting with the protocol or a simulation where the challenger sets before-hand the values of the keys.
Theorem 11.Assuming that the image interval of the pseudo-random function KG where that C is a commitment scheme such that it has a trapdoor and the parameters follow the conditions on Theorem of correctness, then the Key Generation Protocol (Protocol 7) is secure against a passive and static adversary, corrupting up to t = u − 1 players.
Proof.We want to construct an Attack Game in which the adversary cannot distinguish between the protocol executed correctly and a simulation where the challenger sets the values of s, e, a E and K H for all H before-hand.Let C denote the set of corrupt players and B the set of honest players.The Attack Game works as follows.Assume that whenever a corrupt player needs to sample a uniform distribution it sends a query to the challenger for a random value from a random oracle.Let ) the challenge output by A, the first step of the interaction in protocol 7 as we can see in Fig. 2. Then the challenger chooses b $ ← − {0, 1} and proceeds as follows: -If b = 0: The challenger and the adversary follow Protocol 7 to generate a E , b E and the shares .
Then he uses the trapdoor in the commitment scheme to recover (s C , eC , K s ), and proceeds as follows.We will divide the explanation depending on what he is simulating to ease comprehension, but everything will be done simultaneously, following the flow of information seen in Fig. 2.
• For the "generation" of s, the challenger will use the keys K s N H C (of which he knows all of them given that they were generated through queries to the random oracle through the challenger) to recover s C , the contribution of the corrupt players to s.With this information, the challenger can compute s B the contribution of the honest players to s such that s = s C + s B .With these values computed the challenger follows with the protocol.
• For the "generation" of e the challenger proceeds identically as with generating s. • For the "generation" of K H , the challenger samples random values in Z q for K ′ H B (the first step) and commits them.It then will receive K C H from the adversary (the shares of K H pertaining to the corrupt players) and will compute consistent Shamir shares K B H so that the players share K H .Then, as in the protocol, the challenger sends the shares K B H to all players not in H. • For the "generation" of a E , the challenger samples random values in R q for a E B (the first step) and commits them.It then will receive a C E (the shares of a E pertaining to the corrupt players) and will compute consistent Shamir shares a B E so that the players share a E .Then, as in the protocol, the challenger sends the shares a B E to all players.• For the "generation" of b E the challenger outputs b E at the end of the protocol.
Then, the challenger outputs (a Finally A outputs b ∈ {0, 1}, meaning whether it thinks it has interacted with the protocol or with the simulation, and the Game concludes. It is clear that the flow of information is the same in both cases and that the values will be correct and what the challenger sampled before-hand, so we just need to see that the adversary cannot distinguish between the values received when b = 0 from the ones received when b = 1.For s (and e) it is clear that they are indistinguishable, since we used the trapdoor in the commitment scheme to set the values necessary before any messages were sent from the adversary to the challenger.Furthermore, we know that no information was leaked in the NIVSS since because of Lemmas 2 and 3 we know that no information was leaked as in the proof of Theorem 10.
For K H (and in turn a E since they are analogous), we need to see that the adversary cannot distinguish from K ′ H B generated by the protocol or them being random in Z q .To see this we will use the security of Shamir secret sharing, since the adversary can only control up to t players.Therefore, the value shared is completely undetermined by the shares of the corrupt players, so both cases (b = 0 and b = 1) are indistinguishable to the adversary.
Finally, by adding everything up, we get that (a as we wanted to see.
As in Section 4, we have also proven the equivalent to this last theorem for an active adversary, however we will not use the result for the implementation, for reasons we will state in Section 6.1.However the proof can be found in Section A.2 of the Appendix.
Having proved the security of each protocol individually, we only need to see that using both protocols together still gives us an encryption scheme which is semantically secure.
Main Theorem.Assume the conditions in Theorems 8 and 11 are fulfilled.Then, if K-DGS γ is hard, then encryption under keys generated by Protocol 7 and decryption following Protocol 6 is semantically secure against a static and passive adversary corrupting up to t = u − 1 players acting through the Key Generation phase and the same adversary being active corrupting up to t < u 3 players in the Decryption phase.
Proof.First, using the result in Theorem 11, we can see that the adversary cannot distinguish between executing both protocols, or replacing the key generation with keys generated by the challenger.Using then Theorem 8 we can see that the adversary cannot distinguish between taking part in the decryption or having the challenger decrypt all by itself.Therefore we get that the adversary cannot distinguish between the semantic security game when both distributed protocols are used from the basic semantic security game of Encryption Scheme 5.This means, using what we have seen in Section 5.1 that breaking semantic security when both protocols are being used is as hard as breaking semantic security of the encryption scheme, so using the reduction to K-DGS γ and that we assume this problem to be hard, we have that our protocols are semantically secure, as we wanted to see.

Implementation
The first step for the implementation is finding good parameters that guarantee the security of the particular instance of the R-LWE problem.To verify it we will use the bounds on ξ in Lemma 1 and the LWE hardness estimator given by Albrecht et al. in [3].We use the LWE estimator because, as far as we know, no major attacks are known to exploit the particular properties R-LWE, so the estimated hardness for LWE translates as estimated hardness for R-LWE.

Choosing Parameters
We set the security parameter λ = 100.We need to find the following parameters: n, q, κ and ξ which will then allow us to compute I D and I KG .We will first leave everything in function of n and q and we will then use the concrete hardness of an instance of the R-LWE problem to fix n and q.
Let n = 2 β and q ∈ Z >0 .Using the conditions on I D on Theorem 8 we get that To find ξ, we will use the following lemma, the proof of which is in Section B of the Appendix.Lemma 4. Let Ψ σ q be a discrete Gaussian.Then ∀c > 0: Using the bound on Definition 13 and Lemma 4 we can get the following bound which when isolating the ξ gives us the following bound .
From here we will take the equality, since with a fixed q the larger the standard deviation the greater the hardness of that specific instance of the decision R-LWE problem.Now we can find n and q using the LWE hardness estimator, which given n, q, α outputs the concrete hardness of that specific instance.We will set n as a power of 2, since it allows us to use more efficient multiplication algorithms and q as a prime near a power of 2. Using this, we implemented a Python algorithm to find these parameters.The code can be found in the repository in Section C of the Appendix.This has yielded the following results as parameters for u = 7 and t = 2 and more than 100 bits of security, as can be seen in Table I.In this code there is also the computing of parameters for the case of an active adversary in Key Generation phase using the conditions on Theorem 12, giving us that to have 100 bits of security against this type of adversary we need to bump up to n = 8192.This, as we will see with the results in Section 6.3, hurts the viability of the protocols, that is why we give our main proposal as secure against an adversary who acts passively in the Key Generation phase and actively in the Decryption phase.

Implementation Particulars
There are several implementation decisions we have taken and need to discuss.Firstly, we have not coded a truly interactive protocol between u different players, but rather a simulation where one processor computes all the steps simulating the interaction, in the sense that the protocols are divided by steps between interactions where all computing can be done without interaction.Then the program computes how much time every step costs for every player and picks the maximum as the "official" time for that step.This is done this way since we only want to analyse roughly how viable our protocols are, so this approximate works for us.This also means that the execution of the simulation lasts considerably longer than the "real time" for the execution, thus limiting us with the amount of players we can reasonably use.
Secondly, to have the most compact possible form of Shamir Secret Sharing we have used Shamir over the field of Z q instead of embed it in Q.This is the main reason why we have taken q prime, since none of the reductions require it.
Thirdly, regarding the implementation of the PRF, we have used the main result in [4], which says that an HMAC is a PRF under the condition that the underlying compression function is a PRF.To ensure this condition is satisfied we have used the HMAC based around SHA-3.
Finally, regarding the Commitment Scheme we have used for the Key Generation protocol, we have used the hash of the message we want to send concatenated with a random string.We have used SHA-2 since, as far as we know, it is secure enough.However, should the need arise it could be swapped for a more secure alternative.Furthermore, we have only needed to use a commitment scheme after the first round where every player sets their values.This is so because once all the values have been set and all the shares sent, the contributions of the adversary are no longer needed, since the honest players already can generate a majority of correct values.And given that no other value needs to be set in a way the adversary cannot exploit (since the adversary becomes irrelevant), a commitment scheme in any further communication step seems unnecessary.However, this commitment phases could be added with no major change to the protocol nor the prove of security or correctness, only a slightly slower execution.

Results of the simulation
In this final section we will discuss the results we have obtained from the execution of the code for the simulation of both protocols, code which you can find in the repository linked in Section C of the Appendix.The specifications of the system where we have executed the programs are found in Table II.Furthermore, we have used the following C libraries: FLINT (Fast Library for Number Theory) to ease computations in R q , which in turn uses the GMP and MPFR libraries to deal with multiple precision numbers, and OpenSSL library for cryptography related functions like Hashes or HMACs.Also mention that any result we obtain from the execution of the simulation has been found by averaging the times of 10000 executions of the code, so as to better portray the results, getting rid of outliers.From what we have seen to this point there are two main dependencies: growth of time in respect to the threshold t and growth of time in respect to the dimension of the lattice.This is so because the threshold defines the minimum number of players needed (and vice versa, given a number of players we can get the maximum threshold it allows) depending if we are protecting ourselves against an active or a passive adversary, and as we have seen in Section 6.1 given the adversary model, given an n we can find the rest of parameters that make the protocol secure (taking into account that there is a minimum n for which this analysis works).
In regards to the dependency on t, analysing the protocols theoretically lets us see that when performing either the PRSS or the NIVSS there are u t different keys K H , meaning that the number of additions grows asymptotically with the value u t .This means that the dependency should be approximately exponential in the active case where u = 3t + 1 and approximately linear in the passive case where u = t + 1.When obtaining results from the simulation, we have gathered results for the values of t most frequently used in real life applications like electronic voting, which means t < 3 against active adversaries and t < 7 for passive adversaries.This decision is mainly due to how we have implemented the simulation, since instead of having the several players' protocols being executed at the same time, we have them executed consecutively and then take the maximum time spent as the overall time.In the case of the Key Generation, since there are various steps of interaction, this process is applied to every one of the steps.Therefore, due to time constraints, we were limited to how many players we could simulate 10000 executions of the codes.Having said all that, the results we obtained for the dependency on t followed our predictions.In the active case they behaved greater than lineally in the three points we had and in the passive case it behaved approximately linearly.A more in depth analysis cannot be made unless more extensive data is gathered.
In regards to the dependency on n, given that there is multiplication of polynomials in both protocols, which is implemented using the Karatsuba algorithm that scales by the order of n log 2 (3) > n 1.5 , so the time grows asymptotically with this value.The results obtained for the dependency on n, which can be seen in Fig. 3, show the expected results only in the decryption phase against a passive adversary.For the other cases we see linear, or practically linear, behaviour for the range of values of n we are interested in for real life applications.This is due to the fact that the protocols need to perform a much higher number of additions than products, and this difference ends up being high enough for the linear growth of the addition to offset the growth of the product at these values of n.
Finally, we want to discuss the viability of the protocols.As we can see in Table III the Key Generation times are significantly slower than the Decryption time, between 4 and 7 times slower.This however does not pose a big problem, since by design in most implementations one round of Key Generation will be used to decrypt many messages, therefore we can focus our main analysis in the decryption times.In that front, the 530.36 ms per decryption in the active case translates to approximately 7000 messages per hour, while the 131.73 ms per message in the passive case translates to approximately 27000 messages per hour.As we can see it will be half these votes per hour with n = 8192, which will be needed against an active adversary as we have said in Section 6.1.Adding both results we then get that as we wanted to see.
Finally, we just need to see that when the client reconstructs, there is indeed a majority of correct results, and this derives directly from having at most t corrupt players, therefore there will be a majority of subsets of t + 1 players where they are all honest, and thus output the correct decryption.
As in Section 4, the same proof works against a passive adversary corrupting up to t = u − 1 players.However, in the case of dealing with an active adversary in the key generation phase, to have a truly correct scheme we need to see that the protocol cannot be halted by any actions performed by a malicious adversary.However, in the protocol, whenever a verification fails the protocol halts.To deal with these we implement the following dispute resolution policy, where a dispute is raised whenever a player receives a value that fails verification stating there which other player sent the values.
The policy works as follows, once the protocol is halted the players look at the disputes that have risen, and then "eliminate" all players involved in them, in the sense that a new execution of the key generation protocol will start without both players involved in every dispute, and in case a player is involved in more than one dispute only the first one will be analyzed.This policy ensures that the protocol will produce a correct output with at most t halts since no dispute can be risen between honest players, and given that the security of the scheme is based only on assuming that there is at least one contribution on s and e following the distribution, the output generates no problems.Finally note that since in every dispute there is at most one honest player, the ratio of corrupt players will never go above u 3 .

A.2 Security
To be able to prove security when the Key Generation is against an active adversary we will only need to reword the Theorem as follows.
Theorem 13.Assuming that Φ • (•) is a secure pseudo-random function modeled as a random oracle, that the keys K H have been securely generated and distributed, that the secret key s has been securely generated and shared and that the parameters follow the conditions of Theorem 12, the Decryption Protocol (Protocol 6) is secure against an active and static adversary, corrupting up to t < u 3 players.
The proof is analogous to the proof of Theorem 8.
We will now prove that the Key Generation leaks no information when acting against an active adversary corrupting up to t < u 3 players.As before, we will prove that the adversary cannot distinguish between interacting with the protocol or a simulation where the challenger sets before-hand the values of the keys.
Theorem 14.Assuming that the image interval of the pseudo-random function that C is a commitment scheme such that it has a trapdoor and the parameters follow the conditions on Theorem of correctness, then the Key Generation Protocol (Protocol 7) is secure against an active and static adversary, corrupting up to t < u 3 players.
Proof.We want to construct an Attack Game in which the adversary cannot distinguish between the protocol executed correctly and a simulation where the challenger sets the values of s, e, a E and K H for all H before-hand.Let C denote the set of corrupt players and B the set of honest players.The Attack Game works as follows.Assume that whenever a corrupt player needs to sample a uniform distribution it sends a query to the challenger for a random value from a random oracle.Let ) the challenge output by A, the first step of the interaction in protocol 7 as we can see in Fig. 2. Then the challenger chooses b $ ← − {0, 1} and proceeds as follows: -If b = 0: The challenger and the adversary follow Protocol 7 to generate a E , b E and the shares s Then he uses the trapdoor in the commitment scheme to recover (s ), and proceeds as follows.We will divide the explanation depending on what he is simulating to ease comprehension, but everything will be done simultaneously, following the flow of information seen in Fig. 2.
• For the "generation" of s, the challenger will use the keys K s N H C (of which he knows all of them since he controls more than t players), to recover s C , the contribution of the corrupt players to s.With this information, the challenger can compute s B the contribution of the honest players to s such that s = s C + s B .With these values computed, the challenger proceeds with the protocol.

B Proofs of auxiliary Theorems and Lemmas
B.1 Proof of Theorem 9 Theorem 16.Given χ a distribution over R q , there exists a reduction to the semantic security of the Encryption Scheme 5 from the decisional R-LWE χ problem.
Proof.What we want to see is that given an efficient adversary A who has nonnegligible semantic security advantage, we can construct an efficient adversary B with access to A who given an instance of the decisional R-LWE problem, it can solve it with probability non-negligibly bigger than 1  2 .Let (a i , b i ) ∈ R q × R q be an instance of the decisional R-LWE problem.What we need B to do is to be able to output whether a polynomial amount of instances are samples of the distribution A s,χ or of the uniform distribution over R q × R q , in other words, we want to know whether b i = a i • s + e for some s ∈ R q and e ←− χ.
Note that any adversary A who breaks semantic security may be of one of two types.Either A has non-negligible semantic security advantage against the encryption scheme when (a E , b E ) are generated independently uniformly at random (instead of having b E = a E • s + e) or it does not.We will construct two different adversaries for these cases.
Assume firstly that A has a negligible semantic security advantage against the encryption scheme when (a E , b E ) are generated independently uniformly at random.Let (a 1 , b 1 ) be an instance of the R-LWE χ problem, then we define the following attack game.
Attack Game 1: The attack game goes as follows: -Set the public key to (a 1 , b 1 ) and send it to A.
- We know from how we have defined the adversary A, since SSAdv[A, S] is non-negligible, if the instances follow the distribution A s,χ then SSAdv * 1 [A, S] will be non-negligible and if the instances are uniform over R q ×R q then SSAdv * 1 [A, S] will be negligible.This means that with non-negligible probability B can solve the decisional R-LWE χ problem as we wanted.
Assume now that A has a non-negligible semantic security advantage against the encryption scheme when (a E , b E ) are generated independently uniformly at random.Let, once again, (a 1 , b 1 ) and (a 2 , b 2 ) be two instances of the R-LWE χ problem, then we define the following attack game.
Attack Game 2: The attack game goes as follows: -Set the public key to (a 1 , a 2 ) and send it to the adversary.
- We know from how we have defined the adversary A, since SSAdv[A, S] is non-negligible, if the instances follow the distribution A s,χ then SSAdv * 2 [A, S] will be non-negligible and if the instances are uniform over R q ×R q then SSAdv * 2 [A, S] will be negligible, since if b i are uniformly at random then v 2 is independent from the public key and m b22 .This means that with non-negligible probability B can solve the decisional R-LWE χ problem as we wanted, since it is possible to distinguish, with non-negligle probability, a negligible event from a non-negligible event.
B.2 Proofs of Lemmas 2 and 3 Lemma 5. Let Y be a probability distribution over Z such that |Y | is bounded by κ and X be a discrete uniform distribution in the integer interval [−a, a] with a ≥ κ • 2 λ .Then ∆(X, X) ≤ 2 −λ , where X = X + Y .
Proof.The first thing to notice is that for any z ∈ Z such that |z| > κ + a, we will clearly have X(z) = X(z) = 0, since the support of X will only go from −κ − a to κ + a.Furthermore, for n ∈ [−a + κ, a − κ], we can do the following analysis:

B.3 Proof of Lemma 4
To prove the lemma we will use another distribution called rounded discrete Gaussian.Now we can see that Ωσ (i) = Ψ σ q (i) for all i ∈ Z q , and therefore Ωσ = Ψ σ q as random variables.

Ωσ (i) =
k∈Z Ω σ (i + kq) where we have used the change of variables y = x−kq q and the dominated convergence theorem.
Therefore, if we know a bound for Ω, we know a bound for Ψ .Given this result, we can now bound the distributions using the fact that Ω is a rounded Gaussian and Mill's inequality: as the challenge, where s ′ C are the shares on the secret key of the corrupted players, K H C are the keys K H such that C ⊉ H (the keys A knows) chosen by A, and d ′ C are the shares on the decryption of the corrupted players.Then the challenger generates consistent shares on s for the players not in C. Once all these preliminaries are done, the challenger chooses b $ ← − {0, 1} and proceeds as following: -If b = 0: The challenger uses the decryption protocol to compute the shares of the decryption d ′ B for the honest players.It computes the decrypted message m and outputs (d ′ B , m).

1 $
Receive m 01 , m 11 from the adversary, and choose b← − {0, 1}.-Compute u 1 = a 1 • r E + e u and v 1 = b 1 • r E + e v + m b11 ⌊ q 2 ⌋ with r E , e u , e v ←−χ, and send (u 1 , v 1 ) to A. -Receive b1 from the adversary.Then B will work as follows.When given the instances, it picks (a 1 , b 1 ) and performs the Attack Game 1 with A a polynomial amount of times.Then it computes the advantage: SSAdv * 1 [A, S] = Number of queries where b1 = b 1 Total number of queries − 1 2 .

2 $
Receive m 02 , m 12 from the adversary, and choose b ← − {0, 1}.-u 2 = b 1 and v 2 = b 2 + m b22 ⌊ q 2 ⌋ and send (u 1 , v 1 ) to A. -Receive b2 from the adversary.Then B will work as follows.When given the instances, it picks two of them (a 1 , b 1 ) and (a 2 , b 2 ), and performs the Attack Game 2 with A a polynomial amount of times.Then it computes the advantage: SSAdv * 2 [A, S] = Number of queries where b2 = b 2 Total number of queries − 1 2 .

Table I .
Parameters for secure implementation

Table II .
Specifications of the system

Table III .
Time comparison between active and passive adversary