Skip to main content

Finding Short Integer Solutions When the Modulus Is Small

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Abstract

We present cryptanalysis of the inhomogenous short integer solution (\(\textsf{ISIS}_{}\)) problem for anomalously small moduli \(q\) by exploiting the geometry of BKZ reduced bases of q-ary lattices.

We apply this cryptanalysis to examples from the literature where taking such small moduli has been suggested. A recent work [Espitau–Tibouchi–Wallet–Yu, CRYPTO 2022] suggests small \(q\) versions of the lattice signature scheme Falcon and its variant Mitaka. For one small \(q\) parametrisation of Falcon we reduce the estimated security against signature forgery by approximately 26 bits. For one small \(q\) parametrisation of Mitaka we successfully forge a signature in 15 s.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For simplicity we consider the expected square length of the region \({[-q/2,q/2]}^n\).

  2. 2.

    Given early communication with the authors the parameters of [11] were revised.

  3. 3.

    Even \(N\) relates to odd \(q = 2N+1\). Allowing for even \(q\), where \(\textsf{Cube}_n\left( q\right) \) is non-symmetric, requires slightly more care. We are concerned with odd \(q\) in this work.

  4. 4.

    https://github.com/verdiverdiverdi/ball-box.

  5. 5.

    https://crypto.stackexchange.com/questions/87097/.

  6. 6.

    For simplicity, one may think of including \({\textbf{0}}\) in the database to allow the iteration to keep short vectors already present in the database.

  7. 7.

    Strictly speaking, the NTRU assumption only states that the number ring element from which the matrix \({\textbf{H}}\) can be reconstructed is indistinguishable from uniform.

References

  1. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996. https://doi.org/10.1145/237814.237838

  2. Albrecht, M.R., Ducas, L.: Lattice Attacks on NTRU and LWE: A History of Refinements. London Mathematical Society Lecture Note Series, pp. 15–40. Cambridge University Press (2021). https://doi.org/10.1017/9781108854207.004

  3. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  4. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association, August 2016

    Google Scholar 

  5. Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_3

    Chapter  Google Scholar 

  6. Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30

    Chapter  Google Scholar 

  7. Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986). https://doi.org/10.1007/BF02579403

    Article  MathSciNet  MATH  Google Scholar 

  8. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, January 2016. https://doi.org/10.1137/1.9781611974331.ch2

  9. Bos, J.W., et al.: HAWK. Technical report, National Institute of Standards and Technology (2023, to appear). https://csrc.nist.gov/projects/pqc-dig-sig

  10. Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Paris, July 2013. http://www.theses.fr/2013PA077242, thèse de doctorat dirigée par Nguyen, Phong-Quang Informatique Paris 7 2013

  11. Devevey, J., Fawzi, O., Passelègue, A., Stehlé, D.: On Rejection Sampling in Lyubashevsky’s Signature Scheme. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology, ASIACRYPT 2022. LNCS, vol. 13794, pp. 34–64. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_2

  12. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    Chapter  Google Scholar 

  13. Ducas, L., Postlethwaite, E.W., Pulles, L.N., Woerden, W.: Hawk: module LIP makes lattice signatures fast, compact and simple. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology, ASIACRYPT 2022, Part IV. LNCS, vol. 13794, pp. 65–94. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_3

  14. Ducas, L., van Woerden, W.: NTRU fatigue: how stretched is overstretched? In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 3–32. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_1

    Chapter  Google Scholar 

  15. Espitau, T., et al.: Mitaka: a simpler, parallelizable, maskable variant of falcon. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 222–253. Springer, Heidelberg, May/June 2022. https://doi.org/10.1007/978-3-031-07082-2_9

  16. Espitau, T., Tibouchi, M., Wallet, A., Yu, Y.: Shorter hash-and-sign lattice-based signatures. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, August 2022, vol. 13508, pp. 245–275. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_9

  17. Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, August 2007, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9

  18. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982). https://doi.org/10.1007/BF01457454

  19. Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022

  20. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). https://doi.org/10.1137/S0097539705447360

  21. Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008). https://doi.org/10.1515/JMC.2008.009

  22. Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022

  23. Rousseau, C.C., Ruehr, O.G.: Problems and solutions. SIAM Rev. 39(4), 761–789 (1997). https://doi.org/10.1137/SIREAD000039000004000761000001

  24. Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994). https://doi.org/10.1007/BF01581144

  25. Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14

    Chapter  Google Scholar 

  26. development team, T.F.: fpylll, a Python wrapper for the fplll lattice reduction library, Version: 0.5.9 (2023). https://github.com/fplll/fpylll

  27. The G6K development team: The general sieve kernel, Version: 0.1.2 (2023). https://github.com/fplll/g6k

Download references

Acknowledgements

The authors thank Damien Stehlé and Yang Yu for useful discussions, and the reviewers for their comments. The research of L. Ducas and E.W. Postlethwaite was supported by the ERC-StG-ARTICULATE project (no. 947821).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Eamonn W. Postlethwaite .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ducas, L., Espitau, T., Postlethwaite, E.W. (2023). Finding Short Integer Solutions When the Modulus Is Small. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics