Abstract
Let \(As = b + e \bmod q\) be an LWE-instance with ternary keys \(s,e \in \{0, \pm 1\}^n\). Let s be taken from a search space of size \(\mathcal {S}\). A standard Meet-in-the-Middle attack recovers s in time \(\mathcal {S}^{0.5}\). Using the representation technique, a recent improvement of May shows that this can be lowered to approximately \(\mathcal {S}^{0.25}\) by guessing a sub-linear number of \(\varTheta (\frac{n}{\log n})\) coordinates from e. While guessing such an amount of e can asymptotically be neglected, for concrete instantiations of e.g. NTRU, BLISS or GLP the additional cost of guessing leads to complexities around \(\mathcal {S}^{0.3}\).
We introduce a locality sensitive hashing (LSH) technique based on Odlyzko’s work that avoids any guessing of e’s coordinates. This LSH technique involves a comparably small cost such that we can significantly improve on previous results, pushing complexities towards the asymptotic bound \(\mathcal {S}^{0.25}\). Concretely, using LSH we lower the MitM complexity estimates for the currently suggested NTRU and NTRU Prime instantiations by a factor in the range \(2^{20}-2^{49}\), and for BLISS and GLP parameters by a factor in the range \(2^{18}-2^{41}\).
Elena and Kirshanova: Supported by the Ministry of Science and Higher Education of the Russian Federation (agreement no. 075-02-2021-1748) and the “Young Russian Mathematics” grant.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The scripts to reproduce the tables are available at https://github.com/ElenaKirshanova/ntru_with_lsh.
- 2.
In fact, the ‘multiple’ labels assignment is what is done in [Ind01] to handle worst-case inputs. We could also use this algorithm but it turns out to be less memory-efficient than what we propose for the average-case setting.
- 3.
We used commit 4027151 of the branch NTRU_keygen, https://github.com/lducas/leaky-LWE-Estimator/tree/NTRU_keygen.
References
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19
Albrecht, M.R., Curtis, B.R., Wunderer, T.: Exploring trade-offs in batch bounded distance decoding. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 467–491. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_19
Albrecht, M.R., Amit, D., Paterson, K.G.: Cold boot attacks on ring and module LWE keys under the NTT. IACR TCHES 2018(3), 173–213 (2018). https://tches.iacr.org/index.php/TCHES/article/view/7273
Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: 47th FOCS, pp. 459–468. IEEE Computer Society Press, October 2006
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Bernstein, D.J., et al.: NTRU Prime: round 3 (2020). https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf
Becker, A., Coron, J.-S., Joux, A.: Improved generic algorithms for hard knapsacks. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 364–385. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_21
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, January 2016
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{n/20}\): How 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Chen, C., et al.: PQC round-3 candidate: NTRU. Technical report (2020). https://ntru.org/f/ntru-20190330.pdf
Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31
Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_12
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Halderman, J.A., et al.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)
IEEE standard specification for public key cryptographic techniques based on hard problems over lattices. IEEE Std 1363.1-2008, pp. 1–81 (2008)
Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, STOC 1998, pp. 604–613 (1998)
Indyk, P.: On approximate nearest neighbors under \(\ell _\infty \)-norm. J. Comput. Syst. Sci. 63(4), 627–638 (2001)
Kirshaniva, E., May, A.: How to find ternary LWE keys using locality sensitive hashings. Cryptology ePrint Archive, Report 2021/1255 (2021). https://eprint.iacr.org/2021/1255
May, A.: How to meet ternary LWE keys. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 701–731. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_24
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
Nguyen, P.: Boosting the hybrid attack on NTRU: Torus LSH, permuted HNF and boxed sphere (2021). https://csrc.nist.gov/Presentations/2021/boosting-the-hybrid-attack-on-ntru
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kirshanova, E., May, A. (2021). How to Find Ternary LWE Keys Using Locality Sensitive Hashing. In: Paterson, M.B. (eds) Cryptography and Coding. IMACC 2021. Lecture Notes in Computer Science(), vol 13129. Springer, Cham. https://doi.org/10.1007/978-3-030-92641-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-92641-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92640-3
Online ISBN: 978-3-030-92641-0
eBook Packages: Computer ScienceComputer Science (R0)