Abstract
The dual attack is widely used in the concrete security estimation of the learning with errors (LWE) problem. Predicting the concrete security of LWE against the dual attack, i.e., the minimal cost of the dual attack, is a constrained optimization problem. However, there is no complete theoretical analysis. We fill in this gap by proving that, for almost all LWE instances used in the design of public-key cryptographic schemes, the cost of the dual attack can be considered as a U-shape function. Therefore, we can predict the minimal cost with binary search. We use the binary search to predict the concrete security of all LWE-based algorithms in NIST-PQC and the experimental results demonstrate the accuracy of the binary search.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The scaling factor c only appears in Albrecht dual attack.
- 2.
The gap between the two formulas of \(\delta _0\) is very small (see Fig. 3 in Appendix A).
- 3.
In fact, the accurate value of N is \(\max (1,\lceil \frac{1}{2^{0.2075\beta }\epsilon ^{2}}\rceil )\). The gap of the concrete security obtained by these two numbers is at most 1 bit, therefore, we omit this gap.
- 4.
This proof is similar to Lemma 7.
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108. ACM (1996)
Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_4
Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: Algebraic algorithms for LWE problems. ACM Commun. Comput. Algebra 49(2), 62 (2015)
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19
Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25
Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_25
Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Alkim, E., et al.: Newhope. Technical report, NIST (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343. USENIX Association (2016)
Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_3
Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34
Avanzi, R., et al.: Crystals-kyber. Technical report, NIST (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_21
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24. SIAM (2016)
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)
Chen, Y.: Réduction de réseau et sécurité concrete du chiffrement completement homomorphe. Ph.D. thesis, Paris 7 (2013)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Cheon, J.H., Hhan, M., Hong, S., Son, Y.: A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access 7, 89497–89506 (2019)
Cheon, J.H., et al.: Lizard. Technical report, NIST (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5
Ducas, L., et al.: Crystals-dilithium. Technical report, NIST (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
D’Anvers, J.P., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber. Technical report, NIST (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Espitau, T., Joux, A., Kharchenko, N.: On a dual/hybrid approach to small secret LWE. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 440–462. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_20
Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13
Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_2
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_3
Laarhoven, T.: Search problems in cryptography: from fingerprinting to lattice sieving. Ph.D. thesis, Eindhoven University of Technology (2015)
Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480. SIAM (2010)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005)
Wunderer, T.: Revisiting the hybrid attack: improved analysis and refined security estimates. IACR Cryptology ePrint Archive 2016/733 (2016). http://eprint.iacr.org/2016/733
Zhang, J., Yu, Yu., Fan, S., Zhang, Z., Yang, K.: Tweaking the asymmetry of asymmetric-key cryptography on lattices: KEMs and signatures of smaller sizes. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 37–65. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_2
Acknowledgements
We thank the anonymous reviewers for their helpful comments and suggestions. Xianhui Lu and Shuaigang Li are supported by the National Natural Science Foundation of China (Grant No. 61972391). Jiang Zhang is supported by the National Natural Science Foundation of China (Grant Nos. 62022018, 61932019), the National Key Research and Development Program of China (Grant No. 2018YFB0804105).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Comparison of \(\delta _0\) and the Simplified \(\delta _0\)
B The Proof of Some Lemmas
Lemma 2
\(\delta _0\) is a decreasing function when \(\beta \ge 2\pi e^{2.5}\).
Proof
When \(\beta \ge 2\pi e^{2.5}\), we have
thus \(\delta _0\) is a decreasing function. Â Â Â \(\Box \)
Lemma 3
\(\beta ^2\ln \delta _0\) is an increasing function when \(\beta \ge 2\pi e^{2.5}\).
Proof
When \(\beta \ge 2\pi e^{2.5}\), we have
thus \(\beta ^2\ln \delta _0\) is an increasing function. Â Â Â \(\Box \)
Lemma 4
\(g(\beta _1)>0\) when \(q^2\ge \frac{n\ln q}{274.5\sigma _\mathbf {e}^2\ln (4\sigma _\mathbf {e}q)}\) and \(q\ge \frac{0.530}{\sigma _\mathbf {e}}\).
Proof
Define \(a=\frac{4\pi ^2(\log e)\sigma _\mathbf {e}^2q^2-4}{0.2075}\approx 274.5\sigma _\mathbf {e}^2q^2\). We have
Since \(h(a)\le 1=h(\beta _2)\) and h is a decreasing function of \(\beta \), therefore, we have
   \(\Box \)
Lemma 5
\(g(\beta _2)<0\) when \(q^2\ge \frac{\sigma _\mathbf {e}^2n\ln q}{\ln \frac{q}{4\sigma _\mathbf {e}}}\) and \(q>8.5\sigma _\mathbf {e}\).
Proof
This proof is similar to that of Lemma 4.
Lemma 6
\((\delta _0)_\beta ^\prime \) is an increasing function when \(\beta \ge 2\pi e^{2.5}\).
Proof
When \(\beta \ge 2\pi e^{2.5}\), we have
thus \((\delta _0)_\beta ^\prime \) is an increasing function. Â Â Â \(\Box \)
Lemma 7
\( g_1=4\pi ^2\sigma _\mathbf {e}^2(\log e)q^{\frac{4n}{d^*}-2}+(a-0.2075)\beta -4\) is a decreasing function of \(\beta \) when \(2\pi e^{2.5}\le \beta \le \beta ^*\).
Proof
Compute
Since \((\ln \delta _0)_{\beta }^\prime <0\) (see Lemma 2), \((\ln \delta _0)_{\beta \beta }^{\prime \prime }>0\) (See Lemma 6) and
we have \((g_1)_{\beta \beta }^{\prime \prime }>0\), i.e., \((g_1)_\beta ^\prime \) is an increasing function. Furthermore, for \(\beta \in [2\pi e^{2.5},\beta ^*]\), we have
Consequently, for \(2\pi e^{2.5}\le \beta \le \beta ^*\), \(g_1\) is a decreasing function of \(\beta \). Â Â Â \(\Box \)
C The Binary Search
Based on the conditions in Sect. 2, Theorem 1 and 2 provide the binary search to predict the minimal costs of dual attacks. However, the first condition makes the binary search inaccurate. Therefore, we fine-tuned the binary search and obtain the more accurate binary search Search-2 by the following steps:
-
1.
Propose the binary search Search-1 which doesn’t rely on the conditions: d and \(\beta \) are real numbers.
-
2.
Based on Search-1, propose the binary search Search-2 which doesn’t rely on the condition: d is unlimited.
We write \(\beta ^*\) and \(d^*\) for the optimal \(\beta \) and d respectively in Theorem 1 and 2. To obtain the minimal costs accurately, we use the costs in Eq. 1 and 2, the cost of MR or Albrecht dual attack is
where
Moreover, we denote the optimal \(\beta \) and d by \(\beta _0^*\) and \(d_0^*\) (resp., \(\beta _1^*\) and \(d_1^*\)) when attackers can obtain unlimited (resp., \(m_{max}\)) LWE samples and define
-
Step 1. The binary search Search-1 includes the following steps:
-
1.
For each dual attack, we find the integers \(\beta _{i0}\) and \(\beta _{i1}\) (\(i=0,1\)) using binary search, which satisfy \(\beta _{i0}-\beta _{i1}=1\) and \(f_{i}(\beta _{i0})f_{i}(\beta _{i1})\le 0\).
-
2.
For each dual attack, the minimal cost is \(T^{min}_0=2^{t_{min}}\), where
$$t_{min}=\min (T_0(\beta _{00}),T_0(\beta _{01}),T_1(\beta _{10}),T_1(\beta _{11})).$$Therefore, we obtain \(\beta ^*_0\) and \(d_0\) to minimize each cost.
-
3.
We have \(d_0^*=d_0\), when
$$\log T_0^{min}=\max (f(\beta _0^*,d_0)+a\beta _0^*,a\beta ^*_0)=f(\beta _0^*,d_0)+a\beta _0^*.$$Otherwise, the integer \(d_0^*\) is the smallest d satisfying \(f(\beta _0^*,d)\le 0\) and can be obtained using binary search because \(f(\beta _0^*,d)\) is a decreasing function of d when \(d<d_0\).
Consequently, if attackers can obtain unlimited number of LWE samples, we can obtain the minimal cost \(T^{min}_0\) and the optimal parameters (\(\beta _0^*\) and \(d_0^*\)) by the binary search Search-1.
-
1.
-
Step 2. To obtain Search-2, we provide the following two lemmas. We denote the maximum of the dimension d by \(d_{max}\) and define \(h=f(\beta ,d_{max})\), \(g=h+a\beta \).
Lemma 8
For each attack, the optimal d is \(d_{max}\) when \(d_{max}<d_0^*\).
Proof
Define \(d^*(\beta ^\prime )=d_{max}\), we have \(\beta _0^*>\beta ^\prime \) because \(d_{max}<d_0^*\approx d^*(\beta _0^*)\). For \(\beta >\beta ^\prime \), attackers can’t obtain \(d_0^*(\beta )\) LWE samples, in this case, \(d_{max}\) is the optimal d. For \(\beta <\beta ^\prime \), attackers can’t obtain the minimal cost. \(\Box \)
Lemma 9
When \(d_{max}<d_0^*\), we can obtain the logarithm of the minimal cost of each dual attack
using binary search, where \(\beta _2=d_{max}\), integers \(\beta _0\) and \(\beta _1\) satisfy \(h(\beta _0)h(\beta _1)\le 0\) and \(\beta _0-\beta _1= 1\).
Proof
For each dual attack, h is a decreasing function of \(\beta \). If \(h(\beta _2)\ge 0\), we prove g is a decreasing function of \(\beta \) when \(\beta \in (2\pi e^{2.5},\beta _2]\), therefore, we have \( \log T_1^{min}=g(\beta _2)\). If \(h(\beta _2)<0\), there is a real number \(\beta ^{\prime \prime }\in [2\pi e^{2.5},\beta _2)\) making \(h(\beta ^{\prime \prime })=0\). In this case, g is also a decreasing functionFootnote 4 of \(\beta \) when \(\beta \in [2\pi e^{2.5},\beta ^{\prime \prime }]\). Consequently, we can obtain \(\log T_1^{min}=\min (g(\beta _1),a\beta _0)\) by finding the \(\beta _0\) and \(\beta _1\) using binary search. Â Â Â \(\Box \)
According to Lemma 9, we provide the binary search Search-2:
-
1.
If \(d_0^*\le d_{max}\), \(T_0^{min}\) is also the minimal cost when attackers obtain \(m_{max}\) LWE samples.
-
2.
If \(d_0^*>d_{max}\), according to Lemma 9, we can obtain the minimal cost \(T_1^{min}\) and the optimal parameters (\(d_{max}\) and \(\beta _1^*\)).
-
3.
When \(d_0^*>d_{max}\), \(d_{max}\) may not be the unique optimal d to minimize the cost. Just like Search-1, we can obtain \(d_1^*\) (the smallest d to minimize the cost) using binary search.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, S., Lu, X., Zhang, J., Li, B., Bi, L. (2021). Predicting the Concrete Security of LWE Against the Dual Attack Using Binary Search. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12919. Springer, Cham. https://doi.org/10.1007/978-3-030-88052-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-88052-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88051-4
Online ISBN: 978-3-030-88052-1
eBook Packages: Computer ScienceComputer Science (R0)