Predicting the Concrete Security of LWE Against the Dual Attack Using Binary Search

Abstract

The dual attack is widely used in the concrete security estimation of the learning with errors (LWE) problem. Predicting the concrete security of LWE against the dual attack, i.e., the minimal cost of the dual attack, is a constrained optimization problem. However, there is no complete theoretical analysis. We fill in this gap by proving that, for almost all LWE instances used in the design of public-key cryptographic schemes, the cost of the dual attack can be considered as a U-shape function. Therefore, we can predict the minimal cost with binary search. We use the binary search to predict the concrete security of all LWE-based algorithms in NIST-PQC and the experimental results demonstrate the accuracy of the binary search.

Appendices

A Comparison of \(\delta _0\) and the Simplified \(\delta _0\)

B The Proof of Some Lemmas

Lemma 2

\(\delta _0\) is a decreasing function when \(\beta \ge 2\pi e^{2.5}\).

Fig. 3.

Comparison of \(\delta _0\) and the simplified \(\delta _0\).

Proof

When \(\beta \ge 2\pi e^{2.5}\), we have

$$(\ln \delta _0)^\prime _\beta =\frac{1}{2(\beta -1)^2}(\ln \frac{2\pi e^2}{\beta }-\frac{1+(2\beta -1)\ln (\pi \beta )}{\beta ^2})<0, $$

thus \(\delta _0\) is a decreasing function.    \(\Box \)

Lemma 3

\(\beta ^2\ln \delta _0\) is an increasing function when \(\beta \ge 2\pi e^{2.5}\).

Proof

When \(\beta \ge 2\pi e^{2.5}\), we have

$$(\beta ^2\ln \delta _0)^\prime _{\beta }=\frac{\beta ^2}{2(\beta -1)^2}(\frac{\beta -2}{\beta }\ln \frac{\beta }{2\pi e}+1-\frac{1+\ln {(\pi \beta )}}{\beta ^2})>0,$$

thus \(\beta ^2\ln \delta _0\) is an increasing function.    \(\Box \)

Lemma 4

\(g(\beta _1)>0\) when \(q^2\ge \frac{n\ln q}{274.5\sigma _\mathbf {e}^2\ln (4\sigma _\mathbf {e}q)}\) and \(q\ge \frac{0.530}{\sigma _\mathbf {e}}\).

Proof

Define \(a=\frac{4\pi ^2(\log e)\sigma _\mathbf {e}^2q^2-4}{0.2075}\approx 274.5\sigma _\mathbf {e}^2q^2\). We have

$$q^2\ge \frac{n\ln q}{274.5\sigma _\mathbf {e}^2\ln (4\sigma _\mathbf {e}q)}\ge \frac{2n\ln q}{274.5\sigma _\mathbf {e}^2\ln \frac{a}{2\pi e}}\text {, i.e., } h(a)\approx \sqrt{\frac{2n\ln q}{a\ln \frac{a}{2\pi e}}}\le 1.$$

Since \(h(a)\le 1=h(\beta _2)\) and h is a decreasing function of \(\beta \), therefore, we have

   \(\Box \)

Lemma 5

\(g(\beta _2)<0\) when \(q^2\ge \frac{\sigma _\mathbf {e}^2n\ln q}{\ln \frac{q}{4\sigma _\mathbf {e}}}\) and \(q>8.5\sigma _\mathbf {e}\).

Proof

This proof is similar to that of Lemma 4.

Lemma 6

\((\delta _0)_\beta ^\prime \) is an increasing function when \(\beta \ge 2\pi e^{2.5}\).

Proof

When \(\beta \ge 2\pi e^{2.5}\), we have

$$(\ln \delta _0)^{\prime \prime }_{\beta \beta }=\frac{1}{2(\beta -1)^3\beta ^3}(2\beta ^3\ln \frac{\beta }{2\pi e^2}-\beta ^3+(6\beta ^2-6\beta +2)\ln (\pi \beta )-\beta ^2+7\beta -3)>0,$$

thus \((\delta _0)_\beta ^\prime \) is an increasing function.    \(\Box \)

Lemma 7

\( g_1=4\pi ^2\sigma _\mathbf {e}^2(\log e)q^{\frac{4n}{d^*}-2}+(a-0.2075)\beta -4\) is a decreasing function of \(\beta \) when \(2\pi e^{2.5}\le \beta \le \beta ^*\).

Proof

Compute

$$(g_1)^\prime _\beta =4\pi ^2\sigma _\mathbf {e}^2(\log e)q^{\frac{4n}{d^*}-2}(2d^*(\ln \delta _0)_\beta ^\prime )+a-0.2075,$$

$$(g_1)_{\beta \beta }^{\prime \prime }=4\pi ^2\sigma _\mathbf {e}^2(\log e)q^{\frac{4n}{d^*}-2}(2d^*(\ln \delta _0)_\beta ^\prime )((2d^*-\frac{1}{2\ln \delta _0})(\ln \delta _0)_\beta ^\prime +\frac{(\ln \delta _0)_{\beta \beta }^{\prime \prime }}{(\ln \delta _0)_\beta ^\prime }).$$

Since \((\ln \delta _0)_{\beta }^\prime <0\) (see Lemma 2), \((\ln \delta _0)_{\beta \beta }^{\prime \prime }>0\) (See Lemma 6) and

$$2d^*-\frac{1}{2\ln \delta _0}=\frac{4d^*\ln \delta _0-1}{2\ln \delta _0}\overset{d^*\ge \beta }{>}\frac{(\beta /(2\pi e))^2-1}{2\ln \delta _0}>0,$$

we have \((g_1)_{\beta \beta }^{\prime \prime }>0\), i.e., \((g_1)_\beta ^\prime \) is an increasing function. Furthermore, for \(\beta \in [2\pi e^{2.5},\beta ^*]\), we have

$$(g_1)_\beta ^\prime (\beta )<(g_1)_\beta ^\prime (\beta ^*)<-0.2075\frac{d^*}{\beta ^*}\ln \frac{\beta ^*}{2\pi e^2}+a-0.2075<0.$$

Consequently, for \(2\pi e^{2.5}\le \beta \le \beta ^*\), \(g_1\) is a decreasing function of \(\beta \).    \(\Box \)

C The Binary Search

Based on the conditions in Sect. 2, Theorem 1 and 2 provide the binary search to predict the minimal costs of dual attacks. However, the first condition makes the binary search inaccurate. Therefore, we fine-tuned the binary search and obtain the more accurate binary search Search-2 by the following steps:

1. 1.

   Propose the binary search Search-1 which doesn’t rely on the conditions: d and \(\beta \) are real numbers.

2. 2.

   Based on Search-1, propose the binary search Search-2 which doesn’t rely on the condition: d is unlimited.

We write \(\beta ^*\) and \(d^*\) for the optimal \(\beta \) and d respectively in Theorem 1 and 2. To obtain the minimal costs accurately, we use the costs in Eq. 1 and 2, the cost of MR or Albrecht dual attack is

$$T=2^{\max (f+a\beta ,a\beta )},$$

where

$$\begin{aligned}&f=4\pi ^2(\log e){\sigma _\mathbf {e}^2{\delta _0^{2d}}{q^\frac{2(n-d)}{d}}}-0.2075\beta -4\text { or}\\&f=4\pi ^2(\log e){\sigma _\mathbf {e}^2{\delta _0^{2d}}q^\frac{2(n-d)}{d}{({c^*})^\frac{-2n}{d}}}-0.2075\beta -4. \end{aligned}$$

Moreover, we denote the optimal \(\beta \) and d by \(\beta _0^*\) and \(d_0^*\) (resp., \(\beta _1^*\) and \(d_1^*\)) when attackers can obtain unlimited (resp., \(m_{max}\)) LWE samples and define

$$f_0=f(\beta , \lfloor d^*(\beta )\rfloor ), f_1=f(\beta , \lceil d^*(\beta )\rceil ), T_0=2^{\max (f_0+a\beta ,a\beta )}\text { and }T_1=2^{\max (f_1+a\beta ,a\beta )}.$$

• Step 1. The binary search Search-1 includes the following steps:

  1. 1.

     For each dual attack, we find the integers \(\beta _{i0}\) and \(\beta _{i1}\) (\(i=0,1\)) using binary search, which satisfy \(\beta _{i0}-\beta _{i1}=1\) and \(f_{i}(\beta _{i0})f_{i}(\beta _{i1})\le 0\).

  2. 2.

     For each dual attack, the minimal cost is \(T^{min}_0=2^{t_{min}}\), where

     $$t_{min}=\min (T_0(\beta _{00}),T_0(\beta _{01}),T_1(\beta _{10}),T_1(\beta _{11})).$$

     Therefore, we obtain \(\beta ^*_0\) and \(d_0\) to minimize each cost.

  3. 3.

     We have \(d_0^*=d_0\), when

     $$\log T_0^{min}=\max (f(\beta _0^*,d_0)+a\beta _0^*,a\beta ^*_0)=f(\beta _0^*,d_0)+a\beta _0^*.$$

     Otherwise, the integer \(d_0^*\) is the smallest d satisfying \(f(\beta _0^*,d)\le 0\) and can be obtained using binary search because \(f(\beta _0^*,d)\) is a decreasing function of d when \(d<d_0\).

  Consequently, if attackers can obtain unlimited number of LWE samples, we can obtain the minimal cost \(T^{min}_0\) and the optimal parameters (\(\beta _0^*\) and \(d_0^*\)) by the binary search Search-1.

• Step 2. To obtain Search-2, we provide the following two lemmas. We denote the maximum of the dimension d by \(d_{max}\) and define \(h=f(\beta ,d_{max})\), \(g=h+a\beta \).

Lemma 8

For each attack, the optimal d is \(d_{max}\) when \(d_{max}<d_0^*\).

Proof

Define \(d^*(\beta ^\prime )=d_{max}\), we have \(\beta _0^*>\beta ^\prime \) because \(d_{max}<d_0^*\approx d^*(\beta _0^*)\). For \(\beta >\beta ^\prime \), attackers can’t obtain \(d_0^*(\beta )\) LWE samples, in this case, \(d_{max}\) is the optimal d. For \(\beta <\beta ^\prime \), attackers can’t obtain the minimal cost. \(\Box \)

Lemma 9

When \(d_{max}<d_0^*\), we can obtain the logarithm of the minimal cost of each dual attack

$$\log T_1^{min}={\left\{ \begin{array}{ll} g(\beta _2) &{} h(\beta _2)\ge 0\\ \min (g(\beta _0),a\beta _1) &{}\text {Otherwise}\\ \end{array}\right. }$$

using binary search, where \(\beta _2=d_{max}\), integers \(\beta _0\) and \(\beta _1\) satisfy \(h(\beta _0)h(\beta _1)\le 0\) and \(\beta _0-\beta _1= 1\).

Proof

For each dual attack, h is a decreasing function of \(\beta \). If \(h(\beta _2)\ge 0\), we prove g is a decreasing function of \(\beta \) when \(\beta \in (2\pi e^{2.5},\beta _2]\), therefore, we have \( \log T_1^{min}=g(\beta _2)\). If \(h(\beta _2)<0\), there is a real number \(\beta ^{\prime \prime }\in [2\pi e^{2.5},\beta _2)\) making \(h(\beta ^{\prime \prime })=0\). In this case, g is also a decreasing function⁴ of \(\beta \) when \(\beta \in [2\pi e^{2.5},\beta ^{\prime \prime }]\). Consequently, we can obtain \(\log T_1^{min}=\min (g(\beta _1),a\beta _0)\) by finding the \(\beta _0\) and \(\beta _1\) using binary search.    \(\Box \)

According to Lemma 9, we provide the binary search Search-2:

1. 1.

   If \(d_0^*\le d_{max}\), \(T_0^{min}\) is also the minimal cost when attackers obtain \(m_{max}\) LWE samples.

2. 2.

   If \(d_0^*>d_{max}\), according to Lemma 9, we can obtain the minimal cost \(T_1^{min}\) and the optimal parameters (\(d_{max}\) and \(\beta _1^*\)).

3. 3.

   When \(d_0^*>d_{max}\), \(d_{max}\) may not be the unique optimal d to minimize the cost. Just like Search-1, we can obtain \(d_1^*\) (the smallest d to minimize the cost) using binary search.