Abstract
We present cryptanalysis of the inhomogenous short integer solution (\(\textsf{ISIS}_{}\)) problem for anomalously small moduli \(q\) by exploiting the geometry of BKZ reduced bases of q-ary lattices.
We apply this cryptanalysis to examples from the literature where taking such small moduli has been suggested. A recent work [Espitau–Tibouchi–Wallet–Yu, CRYPTO 2022] suggests small \(q\) versions of the lattice signature scheme Falcon and its variant Mitaka. For one small \(q\) parametrisation of Falcon we reduce the estimated security against signature forgery by approximately 26 bits. For one small \(q\) parametrisation of Mitaka we successfully forge a signature in 15 s.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For simplicity we consider the expected square length of the region \({[-q/2,q/2]}^n\).
- 2.
Given early communication with the authors the parameters of [11] were revised.
- 3.
Even \(N\) relates to odd \(q = 2N+1\). Allowing for even \(q\), where \(\textsf{Cube}_n\left( q\right) \) is non-symmetric, requires slightly more care. We are concerned with odd \(q\) in this work.
- 4.
- 5.
- 6.
For simplicity, one may think of including \({\textbf{0}}\) in the database to allow the iteration to keep short vectors already present in the database.
- 7.
Strictly speaking, the NTRU assumption only states that the number ring element from which the matrix \({\textbf{H}}\) can be reconstructed is indistinguishable from uniform.
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996. https://doi.org/10.1145/237814.237838
Albrecht, M.R., Ducas, L.: Lattice Attacks on NTRU and LWE: A History of Refinements. London Mathematical Society Lecture Note Series, pp. 15–40. Cambridge University Press (2021). https://doi.org/10.1017/9781108854207.004
Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association, August 2016
Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_3
Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30
Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986). https://doi.org/10.1007/BF02579403
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, January 2016. https://doi.org/10.1137/1.9781611974331.ch2
Bos, J.W., et al.: HAWK. Technical report, National Institute of Standards and Technology (2023, to appear). https://csrc.nist.gov/projects/pqc-dig-sig
Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Paris, July 2013. http://www.theses.fr/2013PA077242, thèse de doctorat dirigée par Nguyen, Phong-Quang Informatique Paris 7 2013
Devevey, J., Fawzi, O., Passelègue, A., Stehlé, D.: On Rejection Sampling in Lyubashevsky’s Signature Scheme. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology, ASIACRYPT 2022. LNCS, vol. 13794, pp. 34–64. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_2
Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5
Ducas, L., Postlethwaite, E.W., Pulles, L.N., Woerden, W.: Hawk: module LIP makes lattice signatures fast, compact and simple. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology, ASIACRYPT 2022, Part IV. LNCS, vol. 13794, pp. 65–94. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_3
Ducas, L., van Woerden, W.: NTRU fatigue: how stretched is overstretched? In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_1
Espitau, T., et al.: Mitaka: a simpler, parallelizable, maskable variant of falcon. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 222–253. Springer, Heidelberg, May/June 2022. https://doi.org/10.1007/978-3-031-07082-2_9
Espitau, T., Tibouchi, M., Wallet, A., Yu, Y.: Shorter hash-and-sign lattice-based signatures. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, August 2022, vol. 13508, pp. 245–275. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_9
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, August 2007, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982). https://doi.org/10.1007/BF01457454
Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). https://doi.org/10.1137/S0097539705447360
Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008). https://doi.org/10.1515/JMC.2008.009
Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
Rousseau, C.C., Ruehr, O.G.: Problems and solutions. SIAM Rev. 39(4), 761–789 (1997). https://doi.org/10.1137/SIREAD000039000004000761000001
Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994). https://doi.org/10.1007/BF01581144
Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14
development team, T.F.: fpylll, a Python wrapper for the fplll lattice reduction library, Version: 0.5.9 (2023). https://github.com/fplll/fpylll
The G6K development team: The general sieve kernel, Version: 0.1.2 (2023). https://github.com/fplll/g6k
Acknowledgements
The authors thank Damien Stehlé and Yang Yu for useful discussions, and the reviewers for their comments. The research of L. Ducas and E.W. Postlethwaite was supported by the ERC-StG-ARTICULATE project (no. 947821).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Ducas, L., Espitau, T., Postlethwaite, E.W. (2023). Finding Short Integer Solutions When the Modulus Is Small. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-38548-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38547-6
Online ISBN: 978-3-031-38548-3
eBook Packages: Computer ScienceComputer Science (R0)