Skip to main content
SpringerLink
Log in

Dual Lattice Attacks for Closest Vector Problems (with Preprocessing)

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2021 (CT-RSA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12704))

Included in the following conference series:

Abstract

The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells [Laa16b, DLdW19, Laa20, DLvW20], for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may further wonder if the dual attack suffers the same drawbacks, or if it is perhaps a better solution when trying to solve BDD(P).

In this work we provide an overview of cost estimates for dual algorithms for solving these “classical” closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space \(2^{0.293d + o(d)}\) in the single-target model. The distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance (say) \(0.99 \cdot g_d\) from the lattice, has the same complexity in the single-target model, but can be solved in time and space \(2^{0.195d + o(d)}\) in the multi-target setting, when given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost estimates for the dual attack in dimensions 50 to 80, which confirm our heuristic assumptions, and show that the hidden order terms in the asymptotic estimates are quite small.

Our main take-away message is that the dual attack appears to mirror the approximate Voronoi cell line of work – whereas using approximate Voronoi cells works well for approximate CVP(P) but scales poorly for BDD(P), the dual approach scales well for BDD(P) instances but performs poorly on approximate CVP(P).

Thijs Laarhoven and Michael Walter—TL is supported by an NWO Veni grant (016.Veni.192.005). MW is supported by the European Research Council, ERC consolidator grant (682815 – TOCNeT). Part of this work was done while both authors were visiting the Simons Institute for the Theory of Computing at the University of California, Berkeley.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For the method to work we only need the denominator to be constant in \(\varvec{t}\).

  2. 2.

    The following argument therefore holds not only if \(\varvec{t}\) is from the planted target distribution, but also if \(\varvec{t}\) is fixed and the distribution of the dual vectors is modeled via the Gaussian heuristic.

  3. 3.

    For large d the squared norm of such a vector follows a chi-squared distribution, which is closely concentrated around 1.

  4. 4.

    For the simple decoder indeed the distribution of each term is identical. Due to the weighing factors \(\rho _{1/s}(\varvec{w})\) in the other two decoders, the terms are not quite identically distributed. However, in most cases of interest, the important contribution to the output distribution comes from a subset of vectors of \(\mathcal {W}\) with almost equal norms.

References

  1. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  2. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)

    Google Scholar 

  3. Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_3

    Chapter  Google Scholar 

  4. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9, 1–38 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  5. Aharonov, D., Regev, O.: Lattice problems in NP\(\cap \)coNP. In: FOCS, pp. 362–371 (2004)

    Google Scholar 

  6. Babai, L.: On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  7. Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum Cryptography. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7

    Book  MATH  Google Scholar 

  8. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24 (2016)

    Google Scholar 

  9. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. Cryptology ePrint Archive, Report 2019/498 (2019)

    Google Scholar 

  10. Doulgerakis, E., Laarhoven, T., de Weger, B.: Finding closest lattice vectors using approximate Voronoi cells. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 3–22. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_1

    Chapter  Google Scholar 

  11. Doulgerakis, E., Laarhoven, T., de Weger, B.: Sieve, enumerate, slice, and lift: hybrid lattice algorithms for SVP via CVPP. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 301–320. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_15

    Chapter  Google Scholar 

  12. Ducas, L., Laarhoven, T., van Woerden, W.P.J.: The randomized slicer for CVPP: sharper, faster, smaller, batchier. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 3–36. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_1

    Chapter  Google Scholar 

  13. Dadush, D., Regev, O., Stephens-Davidowitz, N.: On the closest vector problem with a distance guarantee. In: CCC, pp. 98–109 (2014)

    Google Scholar 

  14. Ducas, L., Stevens, M., van Woerden, W.: Advanced lattice sieving on GPUs, with tensor cores. Cryptology ePrint Archive, Report 2021/141 (2021). https://eprint.iacr.org/2021/141

  15. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    Chapter  Google Scholar 

  16. Espitau, T., Joux, A., Kharchenko, N.: On a hybrid approach to solve small secret LWE. Cryptology ePrint Archive, Report 2020/515 (2020). https://eprint.iacr.org/2020/515

  17. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)

    Google Scholar 

  18. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within mordell’s inequality. In: STOC, pp. 207–216. ACM (2008)

    Google Scholar 

  19. Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. Des. Codes Crypt. 86, 55–83 (2018)

    Article  MathSciNet  MATH  Google Scholar 

  20. Ravi Kannan. Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)

    Google Scholar 

  21. Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  22. Laarhoven, T.: Search problems in cryptography. Ph.D. thesis, Eindhoven University of Technology (2016)

    Google Scholar 

  23. Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_28

    Chapter  Google Scholar 

  24. Laarhoven, T.: Approximate Voronoi cells for lattices, revisited. J. Math. Cryptol. 15(1), 60–71 (2020)

    Article  MathSciNet  Google Scholar 

  25. Liu, Y.-K., Lyubashevsky, V., Micciancio, D.: On bounded distance decoding for general lattices. In: Díaz, J., Jansen, K., Rolim, J.D.P., Zwick, U. (eds.) APPROX/RANDOM -2006. LNCS, vol. 4110, pp. 450–461. Springer, Heidelberg (2006). https://doi.org/10.1007/11830924_41

    Chapter  Google Scholar 

  26. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21

    Chapter  Google Scholar 

  27. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)

    Google Scholar 

  28. Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA, pp. 276–294 (2015)

    Google Scholar 

  29. Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_31

    Chapter  Google Scholar 

  30. Jerzy Neyman and Egon Sharpe Pearson: On the problem of the most efficient tests of statistical hypotheses. Phil. Trans. R. Soc. Lond. A 231(694–706), 289–337 (1933)

    Google Scholar 

  31. The National Institute of Standards and Technology (NIST). Post-quantum cryptography (2017)

    Google Scholar 

  32. Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_24

    Chapter  MATH  Google Scholar 

  33. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)

    Google Scholar 

  34. Regev, O.: The learning with errors problem (invited survey). In: CCC, pp. 191–204 (2010)

    Google Scholar 

  35. Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci. 53(2–3), 201–224 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  36. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2–3), 181–199 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  37. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS, pp. 124–134 (1994)

    Google Scholar 

  38. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    Chapter  Google Scholar 

  39. SVP challenge (2020). http://latticechallenge.org/svp-challenge/

Download references

Acknowledgments

The authors thank Sauvik Bhattacharya, Léo Ducas, Rachel Player, and Christine van Vredendaal for early discussions on this topic and on preliminary results.

Author information

Authors and Affiliations

  1. Eindhoven University of Technology, Eindhoven, The Netherlands

    Thijs Laarhoven

  2. Institute of Science and Technology Austria, Klosterneuburg, Austria

    Michael Walter

Authors
  1. Thijs Laarhoven
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Walter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Walter .

Editor information

Editors and Affiliations

  1. ETH Zürich, Zürich, Switzerland

    Kenneth G. Paterson

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Laarhoven, T., Walter, M. (2021). Dual Lattice Attacks for Closest Vector Problems (with Preprocessing). In: Paterson, K.G. (eds) Topics in Cryptology – CT-RSA 2021. CT-RSA 2021. Lecture Notes in Computer Science(), vol 12704. Springer, Cham. https://doi.org/10.1007/978-3-030-75539-3_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-75539-3_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-75538-6

  • Online ISBN: 978-3-030-75539-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation