A Combination Reduction Algorithm and Its Application

Abstract

After the Snowden incident, cryptographic subversion attack has attracted widespread attentions. Subversion attack is an unconventional attack inside machines, which has strong concealment. It will threaten the security of existing cryptography systems and seriously damage the confidentiality and integrity of communication. In this paper, we construct a subversion attack scheme on the multi-bit version of the learning with errors (LWE) encryption scheme proposed by Peikert, Vaikuntanathan and Waters, which is similar to the construction over the single-bit LWE encryption scheme. During the construction, the NTRU encryption scheme proposed by Zhang et al., is used to encrypt and decrypt the underlying message. In addition, the process of embedding underlying message into LWE ciphertext can be transformed into solving the ISIS problem. Therefore, a subversion attack scheme on the multi-bit version of LWE encryption scheme can be constructed by solving the ISIS problem successfully. With proper parameters selection, we use BKZ algorithm, BKZ algorithm and segment-LLL combined reduction algorithm to solve the ISIS problem, respectively. Finally, our experiments show that the combination reduction algorithm can improve the success rate of solving ISIS problem, and then promote the attack effect of subversion attack.

Appendix

Proof

In game \(\textrm{G}_{i}\), \(S_{i}\) denotes \(b=b^{'}\), \(\mathcal {A}\) is an adversary, the game is described in Table 6.

Game \(\textrm{G}_{1}\) and \(\textrm{G}_{2}\) differ only in the encryption stage: In game \(\textrm{G}_{1}\), the vector \(\textbf{c}_{1} \leftarrow _{\$} \mathbf {Enc_{ntru}}(\textbf{m}^{'},\textrm{spk})\), while in game \(\textrm{G}_{2}\), \(\textbf{c}_{1} \leftarrow _{\$} \mathbb {Z}_{q}^{N}\). \(\epsilon _{1}=|\Pr [S_{2}]- \Pr [S_{1}] |\) is negligible, since the \(\mathrm {IND\$-CPA}\) security of NTRU encryption scheme.

Game \(\textrm{G}_{2}\) and \(\textrm{G}_{3}\) differ only in the \(\textbf{LatticeSolve}\) stage: In game \(\textrm{G}_{2}\), the vector \(\textbf{e}_{1}\leftarrow _{\$}\textbf{LatticeSolve}(\textbf{A},\mathbf {c_{1}}\)), while in Game \(\textrm{G}_{3}\), \(\textbf{e}_{1}\leftarrow _{\$} \mathbb {Z}^{m}\). In game \(\textrm{G}_{2}\), \(\textbf{c}_{1}\) is sampled from \(\mathbb {Z}_{q}^{N}\) randomly, and \(\mathbf {Ae_{1}\equiv c_{1}} \pmod {q^{'}}\). When matrix \(\textbf{A}\) is fixed, it is hard to distinguish between \(\textbf{e}_{1}\leftarrow _{\$}\textbf{LatticeSolve}(\textbf{A},\textbf{c}_{1})\) and \(\textbf{e}_{1}\leftarrow _{\$} \mathbb {Z}^{m}\). Thus \(\epsilon _{2}=|\Pr [S_{3}]- \Pr [S_{2}] |\) is negligible.

Table 6. The description of game \({\textrm{G}}_{1}-\textrm{G}_{3}\).

In game \(\textrm{G}_{3}\), the vector \(\textbf{e}_{1}\) is sampled from \(\mathbb {Z}^{m}\) randomly and the algorithm \(\mathbf {\widetilde{Enc}}\) is consistent with the algorithm in the original LWE encryption scheme. Therefore,

$$\epsilon _{3}=|2\Pr [S_{3}]- 1 |=0.$$

Let \(\epsilon = 2\epsilon _{1}+ 2\epsilon _{2} +\epsilon _{3}\), the advantage of \(\mathcal {D}\) to detect SA satifies:

$$\begin{aligned}{} & {} \textbf{Adv}_{\mathrm {\Pi ,\widetilde{\Pi }}}{(\mathcal {D})} = |2\Pr [S_{1}]-1 |\\{} & {} = |2\Pr [S_{1}]-2 \Pr [S_{2}] + 2\Pr [S_{2}]-2 \Pr [S_{3}] +2\Pr [S_{3}]-1 |\\{} & {} \le |2\Pr [S_{1}]-2 \Pr [S_{2}] |+|2\Pr [S_{2}]-2 \Pr [S_{3}] |+|2\Pr [S_{3}]-1 |\\{} & {} = 2\epsilon _{1}+ 2\epsilon _{2} +\epsilon _{3}\\{} & {} = \epsilon . \end{aligned}$$

Because NTRU and LWE encryption scheme are both post-quantum cryptograph, this conclusion still holds even though adversy has quantum computing capabilities.