Exploring Trade-offs in Batch Bounded Distance Decoding

Abstract

Algorithms for solving the Bounded Distance Decoding problem (BDD) are used for estimating the security of lattice-based cryptographic primitives, since these algorithms can be employed to solve variants of the Learning with Errors problem (LWE). In certain parameter regimes where the target vector is small and/or sparse, batches of BDD instances emerge from a combinatorial approach where several components of the target vector are guessed before decoding. In this work we explore trade-offs in solving “Batch-BDD”, and apply our techniques to the small-secret Learning with Errors problem. We compare our techniques to previous works which solve batches of BDD instances, such as the hybrid lattice-reduction and meet-in-the-middle attack. Our results are a mixed bag. We show that, in the “enumeration setting” and with BKZ reduction, our techniques outperform a variant of the hybrid attack which does not consider time-memory trade-offs in the guessing phase for certain Round5 (17-bits out of 466), Round5-IoT (19-bits out of 240), and NTRU LPrime (23-bits out of 385) parameter sets. On the other hand, our techniques do not outperform the Hybrid Attack under standard, albeit unrealistic, assumptions. Finally, as expected, our techniques do not improve on previous works in the “sieving setting” (under standard assumptions) where combinatorial attacks in general do not perform well.

The research of Albrecht was supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and EPSRC grants EP/S02087X/1 and EP/S020330/1. The research of Curtis was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).

Appendices

A Meet-in-the-Middle

We consider a meet-in-the-middle approach where we assume (a) that collisions occur with probability 1, and (b) a square-root speed-up in the search phase. As discussed above, this modelling has been shown to be not correct [Wun19]. We include it here for compatibility with previous works which make similar assumptions, e.g [BCLv19]. On the other hand, we assume “free memory” here, i.e. we do not take the cost of memory into account. As illustrated in Table 3 under these assumptions and in the enumeration setting the Hybrid Attack and “g-v decoding” are essentially on par; in the sieving setting, BDD decoding is the most efficient.

Table 3. Estimates in enumeration setting considering a “meet-in-the-middle” approach which does not consider probabilities of failure in the meet-in-the-middle phase. Such an approach considers a square-root speed-up in the guessing phase. Notation as in Table 1.

Table 4. Estimates in sieving setting for a “meet-in-the-middle” approach as in Table 3. Notation as in Table 1. Estimates marked with \(^{\dagger }\) correspond to standard BDD decoding.

B Case Study: NTRU LPrime

We consider NTRU LPrime [BCLv19] as a case study of assumptions within the Hybrid Attack. This issue has recently been discussed on the “pqc-forum” associated to the NIST standardisation process [Duc19]. In the NTRUPrime Round 2 submission document [BCLv19] an updated security evaluation is provided based on the analysis of [Wun19]. The security evaluation considers uSVP and Hybrid approaches, and does not consider dual attacks. The Hybrid Attack analysis is made using the following assumptions:

• The modified GSA for q-ary lattices [Wun19] is considered as the output basis shape of BKZ, based on the technique of reducing a sublattice of dimension \(d-k\), where k is the number of “untouched” q-vectors.

• The use of the formula from [Wun19] for the success of Babai’s Nearest Plane algorithm, i.e

  $$\begin{aligned} p_{\textsf {np}} \approx \prod _{1 \le i \le d} \left( 1 - \frac{2}{B(\frac{d-1}{2}, \frac{1}{2})} \int ^{1}_{\min (r_i,1)} (1-t^{2})^{(d-3)/2}\,dt \right) \end{aligned}$$

  where \(r_i = \frac{\Vert \mathbf {b} _{i}^*\Vert }{ 2\Vert \mathbf {v} \Vert }\), \( \Vert \mathbf {v} \Vert \) is the expected length of the target vector, i.e \( \Vert \mathbf {v} \Vert = \sqrt{\sigma ^2 \cdot m + \frac{n - \tau }{n}\cdot h} \), and \(B(\cdot ,\cdot )\) is the Beta function.

• The cost of Babai’s Nearest Plane algorithm is considered to be one operation.

• In the meet-in-the-middle variant of the Hybrid Attack, the probability of collisions is one.

• In the quantum variant of the Hybrid Attack, the techniques from [GvVW17] are considered, which improves the search compared to Grover’s algorithm.

• Lattice scaling is considered for the uSVP attack, but not for the hybrid attack.

• Drop-and-solve style techniques are considered in the uSVP attack.

• Memory consumption for the meet-in-the-middle step is considered.

• Core-style BKZ cost models are considered, i.e \(2^{0.292\beta }\) (no lower order terms) in the sieving setting, and \( 2^{0.18728\beta \log (\beta ) - 1.019\beta + 16.1} \) in the enumeration setting.

We modified the script for estimating security accompanying [BCLv19] to provide individual estimates for a Hybrid Attack with “classical” guessing, and a Hybrid Attack with a meet-in-the-middle approach (as opposed to only outputting the estimate for the fastest attack) to retrieve the estimates in Table 5.

Table 5. Estimates from the NTRU LPrime Round 2 security script, best in class is highlighted in bold. Based on [BCLv19, Table 2].

Bridging Assumptions 

As discussed above, there are several points during a Hybrid Attack-based security analysis where assumptions are required. In order to cross-check our hybrid attack estimates, we align our code with the assumptions made in the NTRU LPrime security script. That is, we consider the set of assumptions \( \mathcal {A}_0 \) outlined in Table 6. Explicitly, we assume core-style BKZ models (“pre-quantum sieving” (i.e \(2^{0.292\beta }\)) and “pre-quantum enumeration” (i.e \(2^{0.18728\beta \log (\beta ) - 1.019\beta + 16.1}\)), both with “free memory”, in the language of [BCLv19]), we assume the formula for the success probability of Babai’s Nearest Plane algorithm from [Wun19] with a cost of one operation, we assume the q-ary GSA, a meet-in-the-middle guessing phase, with associated collision probability of one, we assume the target norm of the vector recovered via the BDD algorithm has Euclidean length \( \sqrt{\sigma ^2 \cdot m + h \cdot \frac{n- \tau }{n}} \) and we do not consider memory requirements³, or lattice scaling.

After considering the assumption set \( \mathcal {A}_0 \), we move through assumptions until we reach those used in our work. In particular, assumption set \( \mathcal {A}_1 \) corresponds to \( \mathcal {A}_0 \) with the q-ary GSA swapped for the BKZ simulator, since this is a more accurate measure of the output of BKZ, assumption set \( \mathcal {A}_2 \) corresponds to \( \mathcal {A}_1 \) with the cost of Babai’s Nearest Plane algorithm altered from one operation to be polynomial in the dimension of the lattice, i.e \( \frac{d^2}{2^{1.06}}\) operations as in [Wun19], assumption set \( \mathcal {A}_3 \) corresponds to \( \mathcal {A}_2 \) with the core- style cost models changed to cost models which consider eight tours, and assumption set \( \mathcal {A}_4 \) corresponds to \( \mathcal {A}_3 \) with the guessing strategy changed from a meet-in-the-middle to a classical guessing strategy, thus dropping the innacurate assumption that collisions occur with probability one. Finally, the only difference between assumptions set \( \mathcal {A}_4 \) and the assumptions considered in our work is that we consider lattice scaling.

Table 6. Sets of Assumptions Considered in this Appendix. There are many other alternative assumptions considered throughout the literature which we do not consider in this work.

We present results for each assumption set in Tables 7 and 8. To continue matching the assumptions in the NTRUPrime script, we searched for optimal values of \( \beta \) and \( \tau \) over the sets \( \tau \in \{0,40,80,\dots \} \), \( \beta \in \{40,80,120,\dots \} \), we note that, in both our script and the NTRUPrime script, lower estimates can be found by performing a more granular search.

Table 7. Enumeration-based estimates, each section corresponds to a set of assumptions outlined in Table 6, “– ” denotes a value which is not compatible with our notation (for example, our script considers a simple sqrt speed-up in the search space, the NTRUPrime script considers splitting the search space as in a meet-in-the-middle approach).

Table 8. Sieving Estimates. Estimates marked with \(^{\dagger }\) correspond to standard BDD decoding.