Abstract
Algorithms for solving the Bounded Distance Decoding problem (BDD) are used for estimating the security of lattice-based cryptographic primitives, since these algorithms can be employed to solve variants of the Learning with Errors problem (LWE). In certain parameter regimes where the target vector is small and/or sparse, batches of BDD instances emerge from a combinatorial approach where several components of the target vector are guessed before decoding. In this work we explore trade-offs in solving “Batch-BDD”, and apply our techniques to the small-secret Learning with Errors problem. We compare our techniques to previous works which solve batches of BDD instances, such as the hybrid lattice-reduction and meet-in-the-middle attack. Our results are a mixed bag. We show that, in the “enumeration setting” and with BKZ reduction, our techniques outperform a variant of the hybrid attack which does not consider time-memory trade-offs in the guessing phase for certain Round5 (17-bits out of 466), Round5-IoT (19-bits out of 240), and NTRU LPrime (23-bits out of 385) parameter sets. On the other hand, our techniques do not outperform the Hybrid Attack under standard, albeit unrealistic, assumptions. Finally, as expected, our techniques do not improve on previous works in the “sieving setting” (under standard assumptions) where combinatorial attacks in general do not perform well.
The research of Albrecht was supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and EPSRC grants EP/S02087X/1 and EP/S020330/1. The research of Curtis was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Note that, following the literature, we are overloading notation here: this \(\alpha \) is unrelated to the BDD approximation factor \(\alpha \). It will always be clear from context which \(\alpha \) we are referring to.
- 2.
All estimates use the LWE Estimator as of commit 3019847.
- 3.
Note that [BCLv19] does contain estimates which consider memory, however we do not compare against them in our work, since we do not consider memory costs.
References
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. Cryptology ePrint Archive, Report 2019/089 (2019). https://eprint.iacr.org/2019/089
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (ed.) 25th USENIX Security Symposium, USENIX Security 16, pp. 327–343. USENIX Association (2016)
Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11
Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd ACM STOC, pp. 601–610. ACM Press, July 2001
Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_4
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Bindel, N., et al.: qTESLA. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Babai, L.: On lovász lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Technical report, National Institute of Standards and Technology (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, January 2016
Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_21
Bhattacharya, S., et al.: Round5: compact and fast post-quantum public-key encryption. Cryptology ePrint Archive, Report 2018/725 (2018). https://eprint.iacr.org/2018/725
Buchmann, J., Göpfert, F., Player, R., Wunderer, T.: On the hardness of LWE with binary error: revisiting the hybrid lattice-reduction and meet-in-the-middle attack. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 24–43. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_2
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 13 (2014)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press, June 2013
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Paris 7 (2013)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Cheon, J.H., et al.: Lizard. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Doulgerakis, E., Laarhoven, T., de Weger, B.: Finding closest lattice vectors using approximate Voronoi cells. Cryptology ePrint Archive, Report 2016/888 (2016). https://eprint.iacr.org/2016/888
The FPLLL development team. FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
Ducas, L.: Thread on PQC-forum (2019). https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/JwR0_fpNujc
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012). http://eprint.iacr.org/2012/688
Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–463 (1985)
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Göpfert, F., van Vredendaal, C., Wunderer, T.: A hybrid lattice basis reduction and quantum search attack on LWE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 184–202. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_11
Garcia-Morchon, O., et al.: Round5. Technical report, National Institute of Standards and Technology (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Halevi, S.: HElib (2018). https://github.com/shaih/HElib
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a new high speed public key cryptosystem. Draft Distributed at Crypto 1996 (1996). http://web.securityinnovation.com/hubfs/files/ntru-orig.pdf
Hoffstein, J., et al.: Choosing parameters for NTRUEncrypt. Cryptology ePrint Archive, Report 2015/708 (2015). http://eprint.iacr.org/2015/708
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC, pp. 193–206. ACM Press, April 1983
Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_28
Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_19
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Micciancio, D.: The hardness of the closest vector problem with preprocessing. IEEE Trans. Inf. Theory 47(3), 1212–1215 (2001)
Micciancio, D.: On the hardness of LWE with binary error. Technical report, February 2018. http://cseweb.ucsd.edu/~daniele/papers/BinLWE.pdf
May, A., Silverman, J.H.: Dimension reduction methods for convolution modular lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_10
Poppelmann, T., et al.: NewHope. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005
Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14
Schnorr, C.-P., Euchner, M.: Lattice basis reduction. Improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)
Simple Encrypted Arithmetic Library (release 3.1.0). Microsoft Research, Redmond, WA, December 2018 https://github.com/Microsoft/SEAL
Schanck, J.M., Hulsing, A., Rijneveld, J., Schwabe, P.: NTRU-HRSS-KEM. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.-J.: EMBLEM and R.EMBLEM. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Wunderer, T.: A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. J. Math. Cryptol. 13(1), 1–26 (2019)
Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Acknowledgements
The authors thank the anonymous SAC reviewers for their feedback, which has been used to improve this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Meet-in-the-Middle
We consider a meet-in-the-middle approach where we assume (a) that collisions occur with probability 1, and (b) a square-root speed-up in the search phase. As discussed above, this modelling has been shown to be not correct [Wun19]. We include it here for compatibility with previous works which make similar assumptions, e.g [BCLv19]. On the other hand, we assume “free memory” here, i.e. we do not take the cost of memory into account. As illustrated in Table 3 under these assumptions and in the enumeration setting the Hybrid Attack and “g-v decoding” are essentially on par; in the sieving setting, BDD decoding is the most efficient.
B Case Study: NTRU LPrime
We consider NTRU LPrime [BCLv19] as a case study of assumptions within the Hybrid Attack. This issue has recently been discussed on the “pqc-forum” associated to the NIST standardisation process [Duc19]. In the NTRUPrime Round 2 submission document [BCLv19] an updated security evaluation is provided based on the analysis of [Wun19]. The security evaluation considers uSVP and Hybrid approaches, and does not consider dual attacks. The Hybrid Attack analysis is made using the following assumptions:
-
The modified GSA for q-ary lattices [Wun19] is considered as the output basis shape of BKZ, based on the technique of reducing a sublattice of dimension \(d-k\), where k is the number of “untouched” q-vectors.
-
The use of the formula from [Wun19] for the success of Babai’s Nearest Plane algorithm, i.e
$$\begin{aligned} p_{\textsf {np}} \approx \prod _{1 \le i \le d} \left( 1 - \frac{2}{B(\frac{d-1}{2}, \frac{1}{2})} \int ^{1}_{\min (r_i,1)} (1-t^{2})^{(d-3)/2}\,dt \right) \end{aligned}$$where \(r_i = \frac{\Vert \mathbf {b} _{i}^*\Vert }{ 2\Vert \mathbf {v} \Vert }\), \( \Vert \mathbf {v} \Vert \) is the expected length of the target vector, i.e \( \Vert \mathbf {v} \Vert = \sqrt{\sigma ^2 \cdot m + \frac{n - \tau }{n}\cdot h} \), and \(B(\cdot ,\cdot )\) is the Beta function.
-
The cost of Babai’s Nearest Plane algorithm is considered to be one operation.
-
In the meet-in-the-middle variant of the Hybrid Attack, the probability of collisions is one.
-
In the quantum variant of the Hybrid Attack, the techniques from [GvVW17] are considered, which improves the search compared to Grover’s algorithm.
-
Lattice scaling is considered for the uSVP attack, but not for the hybrid attack.
-
Drop-and-solve style techniques are considered in the uSVP attack.
-
Memory consumption for the meet-in-the-middle step is considered.
-
Core-style BKZ cost models are considered, i.e \(2^{0.292\beta }\) (no lower order terms) in the sieving setting, and \( 2^{0.18728\beta \log (\beta ) - 1.019\beta + 16.1} \) in the enumeration setting.
We modified the script for estimating security accompanying [BCLv19] to provide individual estimates for a Hybrid Attack with “classical” guessing, and a Hybrid Attack with a meet-in-the-middle approach (as opposed to only outputting the estimate for the fastest attack) to retrieve the estimates in Table 5.
Bridging Assumptions
As discussed above, there are several points during a Hybrid Attack-based security analysis where assumptions are required. In order to cross-check our hybrid attack estimates, we align our code with the assumptions made in the NTRU LPrime security script. That is, we consider the set of assumptions \( \mathcal {A}_0 \) outlined in Table 6. Explicitly, we assume core-style BKZ models (“pre-quantum sieving” (i.e \(2^{0.292\beta }\)) and “pre-quantum enumeration” (i.e \(2^{0.18728\beta \log (\beta ) - 1.019\beta + 16.1}\)), both with “free memory”, in the language of [BCLv19]), we assume the formula for the success probability of Babai’s Nearest Plane algorithm from [Wun19] with a cost of one operation, we assume the q-ary GSA, a meet-in-the-middle guessing phase, with associated collision probability of one, we assume the target norm of the vector recovered via the BDD algorithm has Euclidean length \( \sqrt{\sigma ^2 \cdot m + h \cdot \frac{n- \tau }{n}} \) and we do not consider memory requirementsFootnote 3, or lattice scaling.
After considering the assumption set \( \mathcal {A}_0 \), we move through assumptions until we reach those used in our work. In particular, assumption set \( \mathcal {A}_1 \) corresponds to \( \mathcal {A}_0 \) with the q-ary GSA swapped for the BKZ simulator, since this is a more accurate measure of the output of BKZ, assumption set \( \mathcal {A}_2 \) corresponds to \( \mathcal {A}_1 \) with the cost of Babai’s Nearest Plane algorithm altered from one operation to be polynomial in the dimension of the lattice, i.e \( \frac{d^2}{2^{1.06}}\) operations as in [Wun19], assumption set \( \mathcal {A}_3 \) corresponds to \( \mathcal {A}_2 \) with the core- style cost models changed to cost models which consider eight tours, and assumption set \( \mathcal {A}_4 \) corresponds to \( \mathcal {A}_3 \) with the guessing strategy changed from a meet-in-the-middle to a classical guessing strategy, thus dropping the innacurate assumption that collisions occur with probability one. Finally, the only difference between assumptions set \( \mathcal {A}_4 \) and the assumptions considered in our work is that we consider lattice scaling.
We present results for each assumption set in Tables 7 and 8. To continue matching the assumptions in the NTRUPrime script, we searched for optimal values of \( \beta \) and \( \tau \) over the sets \( \tau \in \{0,40,80,\dots \} \), \( \beta \in \{40,80,120,\dots \} \), we note that, in both our script and the NTRUPrime script, lower estimates can be found by performing a more granular search.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Albrecht, M.R., Curtis, B.R., Wunderer, T. (2020). Exploring Trade-offs in Batch Bounded Distance Decoding. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)