Skip to main content
SpringerLink
Log in

Revisiting Security Estimation for LWE with Hints from a Geometric Perspective

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14085))

Included in the following conference series:

  • 1026 Accesses

Abstract

The Distorted Bounded Distance Decoding Problem (\(\textsf{DBDD}\)) was introduced by Dachman-Soled et al. [Crypto ’20] as an intermediate problem between \(\textsf{LWE}\) and unique-SVP (\({\textsf{uSVP}}\)). They presented an approach that reduces an \(\textsf{LWE}\) instance to a \(\textsf{DBDD}\) instance, integrates side information (or “hints”) into the \(\textsf{DBDD}\) instance, and finally reduces it to a \({\textsf{uSVP}}\) instance, which can be solved via lattice reduction. They showed that this principled approach can lead to algorithms for side-channel attacks that perform better than ad-hoc algorithms that do not rely on lattice reduction.

The current work focuses on new methods for integrating hints into a \(\textsf{DBDD}\) instance. We view hints from a geometric perspective, as opposed to the distributional perspective from the prior work. Our approach provides the rigorous promise that, as hints are integrated into the \(\textsf{DBDD}\) instance, the correct solution remains a lattice point contained in the specified ellipsoid.

We instantiate our approach with two new types of hints: (1) Inequality hints, corresponding to the region of intersection of an ellipsoid and a halfspace; (2) Combined hints, corresponding to the region of intersection of two ellipsoids. Since the regions in (1) and (2) are not necessarily ellipsoids, we replace them with ellipsoidal approximations that circumscribe the region of intersection. Perfect hints are reconsidered as the region of intersection of an ellipsoid and a hyperplane, which is itself an ellipsoid. The compatibility of “approximate,” “modular,” and “short vector” hints from the prior work is examined.

We apply our techniques to the decryption failure and side-channel attack settings. We show that “inequality hints” can be used to model decryption failures, and that our new approach yields a geometric analogue of the “failure boosting” technique of D’anvers et al. [ePrint,’18]. We also show that “combined hints” can be used to fuse information from a decryption failure and a side-channel attack, and provide rigorous guarantees despite the data being non-Gaussian. We provide experimental data for both applications. The code that we have developed to implement the integration of hints and hardness estimates extends the Toolkit from prior work and has been released publicly.

The full version of this paper can be found in [18].

D. Dachman-Soled—This project is supported in part by NSF grant #CNS-1453045 (CAREER), by financial assistance awards 70NANB15H328 and 70NANB19H126 from the U.S. Department of Commerce, National Institute of Standards and Technology, and by Intel through the Intel Labs Crypto Frontiers Research Center.

H. Kippen—Supported in part by the Clark Doctoral Fellowship from the Clark School of Engineering, University of Maryland, College Park.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We believe our improved accuracy is due to the fact that our modeling incorporates the true distances (w.r.t. the ellipsoid norm) of the intersecting hyperplanes from the center of the ellipsoid with each successive hint, whereas the average-case approach can be viewed as incorporating the expected distance each time.

  2. 2.

    The term “failure boosting” (see [21]) refers to techniques that use information from previous decryption failures to increase the failure rate for subsequent queries.

  3. 3.

    The updated toolkit can be found at https://github.com/hunterkipt/Geometric-LWE-Estimator.

  4. 4.

    This assumes that \(\boldsymbol{\mu }'\)–corresponding to the first d coorindates of \(\boldsymbol{\mu } \in \textsf{Span}(\boldsymbol{\varSigma })\) and the final coordinate of \(\boldsymbol{\mu }\) is equal to 1, which is the case for \(\textsf{DBDD}\) instances obtained from \(\textsf{DBDD}\) variant instances.

  5. 5.

    Note that in our experiments it was always the case that \(1/0.9 \textsf{n}_{E_{DF,P}} \le 1\) so the intersection is always non-empty.

  6. 6.

    The number of bikz reported in our table for the SCA-only attack differs slightly from the bikz reported in [17], as we use the updated code found here: https://github.com/lducas/leaky-LWE-Estimator/tree/fix_extreme_hints2.

References

  1. Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. Technical Report: NIST Internal Report (NISTIR) 8413, U.S. Department of Commerce, Washington, D.C. (2022)

    Google Scholar 

  2. Albrecht, M., Cid, C., Faugère, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the Arora-Ge algorithm against LWE. In: 3rd International Conference on Symbolic Computation and Cryptography, SCC 2012, Castro Urdiales, Spain, July 2012, pp. 93–99 (2012)

    Google Scholar 

  3. Albrecht, M.R., Bai, S., Li, J., Rowell, J.: Lattice reduction with approximate enumeration oracles. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 732–759. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_25

    Chapter  Google Scholar 

  4. Albrecht, M.R., Cid, C., Faugère, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Cryptology ePrint Archive, Report 2012/636 (2012). https://eprint.iacr.org/2012/636

  5. Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11

    Chapter  Google Scholar 

  6. Alkim, E., et al.: FrodoKEM: practical quantum-secure key encapsulation from generic lattices, April 2022

    Google Scholar 

  7. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016: 25th USENIX Security Symposium, 10–12 August, pp. 327–343. USENIX Association, Austin (2016)

    Google Scholar 

  8. Bai, S., Stehlé, D., Wen, W.: Measuring, simulating and exploiting the head concavity phenomenon in BKZ. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 369–404. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_13

    Chapter  Google Scholar 

  9. Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_14

    Chapter  Google Scholar 

  10. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. Arlington, VA, USA, 10–12 January. ACM-SIAM (2016)

    Google Scholar 

  11. Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 206–225. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_12

    Chapter  Google Scholar 

  12. Bland, R.G., Goldfarb, D., Todd, M.J.: The ellipsoid method: a survey. Oper. Res. 29(6), 1039–1091 (1981)

    Article  MathSciNet  MATH  Google Scholar 

  13. Bos, J.W., Friedberger, S., Martinoli, M., Oswald, E., Stam, M.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson Jr., M. (eds.) Selected Areas in Cryptography, SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_10

  14. Bruna, J., Regev, O., Song, M.J., Tang, Y.: Continuous LWE. In: 53rd Annual ACM SIGACT Symposium on Theory of Computing, Virtual Event, STOC 2021, Italy, 21–25 June 2021, pp. 694–707 (2021)

    Google Scholar 

  15. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3

    Chapter  Google Scholar 

  16. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    Chapter  Google Scholar 

  17. Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12

    Chapter  Google Scholar 

  18. Dachman-Soled, D., Gong, H., Hanson, T., Kippen, H.: Revisiting security estimation for LWE with hints from a geometric perspective. Full version of this paper. Cryptology ePrint Archive, Paper 2022/1345 (2022). https://eprint.iacr.org/2022/1345

  19. D’Anvers, J.-P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 565–598. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_19

    Chapter  Google Scholar 

  20. D’Anvers, J.-P., Rossi, M., Virdia, F.: (One) failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 3–33. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_1

    Chapter  MATH  Google Scholar 

  21. D’Anvers, J.P., Vercauteren, F., Verbauwhede, I.: On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089 (2018). https://eprint.iacr.org/2018/1089

  22. Ding, J., Alsayigh, S., RV, S., Fluhrer, S., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. Cryptology ePrint Archive, Report 2016/1176 (2016). https://eprint.iacr.org/2016/1176

  23. Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_27

    Chapter  Google Scholar 

  24. Ducas, L., Gibbons, S.: Hull attacks on the lattice isomorphism problem. In: Boldyreva, A., Kolesnikov, V. (eds.) Public-Key Cryptography, PKC 2023. LNCS, vol. 13940, pp. 177–204. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-31368-4_7

  25. Fahr Jr., M., et al.: When Frodo flips: end-to-end key recovery on FrodoKEM via Rowhammer. Cryptology ePrint Archive (2022)

    Google Scholar 

  26. Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085 (2016). https://eprint.iacr.org/2016/085

  27. Grötschel, M., Lovász, L., Schrijver, A.: The ellipsoid method. In: Geometric Algorithms and Combinatorial Optimization. Algorithms and Combinatorics, vol. 2, pp. 64–101. Springer, Heidelberg (1988). https://doi.org/10.1007/978-3-642-97881-4_4

  28. Güler, O., Gürtuna, F.: Symmetry of convex sets and its applications to the extremal ellipsoids of convex bodies. Optim. Meth. Softw. 27(4–5), 735–759 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  29. Guo, Q., Johansson, T., Nilsson, A.: A generic attack on lattice-based schemes using decryption errors with application to ss-ntru-pke. Cryptology ePrint Archive, Report 2019/043 (2019). https://eprint.iacr.org/2019/043

  30. Gupte, A., Vafa, N., Vaikuntanathan, V.: Continuous LWE is as hard as LWE & applications to learning gaussian mixtures. Cryptology ePrint Archive, Report 2022/437 (2022). https://eprint.iacr.org/2022/437

  31. Hanebeck, U.D., Horn, J.: Fusing information simultaneously corrupted by uncertainties with known bounds and random noise with known distribution. Inf. Fus. 1(1), 55–63 (2000)

    Article  Google Scholar 

  32. Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_14

    Chapter  Google Scholar 

  33. Islam, S., Mus, K., Singh, R., Schaumont, P., Sunar, B.: Signature correction attack on Dilithium signature scheme (2022)

    Google Scholar 

  34. Lenstra, Jr., H.W.: Integer programming with a fixed number of variables. Math. Oper. Res. 8(4), 538–548 (1983)

    Google Scholar 

  35. Kalman, R.E.: A new approach to linear filtering and prediction problems (1960)

    Google Scholar 

  36. Khachiyan, L.G.: A polynomial algorithm in linear programming. In: Doklady Akademii Nauk. Vol. 244, pp. 1093–1096. Russian Academy of Sciences (1979)

    Google Scholar 

  37. Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement (2015). https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session7-motley-mark.pdf

  38. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. Commun. ACM 63(7), 93–101 (2020)

    Article  Google Scholar 

  39. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  40. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  41. Kurzhanski, A.B.: Ellipsoidal calculus for estimation and feedback control. In: Byrnes, C.I., Datta, B.N., Martin, C.F., Gilliam, D.S. (eds.) Systems and Control in the Twenty-First Century. Systems & Control: Foundations & Applications, vol. 22, pp. 229–243. Birkhäuser, Boston, MA (1997). https://doi.org/10.1007/978-1-4612-4120-1_12

  42. Laarhoven, T.: Search problems in cryptography: from fingerprinting to lattice sieving. PhD thesis (2015)

    Google Scholar 

  43. Lipp, M., et al.: Meltdown: reading kernel memory from user space. Commun. ACM 63(6), 46–56 (2020)

    Article  Google Scholar 

  44. McCann, D., Oswald, E., Whitnall, C.: Towards practical tools for side channel aware software engineering: ‘grey box’ modelling for instruction leakages. In: Kirda, E., Ristenpart, T. (eds.) 26th USENIX Security Symposium on USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 199–216. USENIX Association (2017)

    Google Scholar 

  45. Mus, K., Islam, S., Sunar, B.: QuantumHammer: a practical hybrid attack on the LUOV signature scheme. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) 27th Conference on Computer and Communications Security, ACM CCS 2020, Virtual Event, 9–13 November 2020, pp. 1071–1084, USA, ACM Press (2020)

    Google Scholar 

  46. Qin, Y., Cheng, C., Zhang, X., Pan, Y., Hu, L., Ding, J.: A systematic approach and analysis of key mismatch attacks on lattice-based NIST candidate KEMs. Cryptology ePrint Archive, Report 2021/123 (2021). https://eprint.iacr.org/2021/123

  47. Ravi, P., Jhanwar, M.P., Howe, J., Chattopadhyay, A., Bhasin, S.: Side-channel assisted existential forgery attack on Dilithium - a NIST PQC candidate. Cryptology ePrint Archive, Report 2018/821 (2018). https://eprint.iacr.org/2018/821

  48. Ravi, P., Jhanwar, M.P., Howe, J., Chattopadhyay, A., Bhasin, S.: Exploiting determinism in lattice-based signatures: practical fault attacks on pqm4 implementations of NIST candidates. In: Galbraith, S.D., Russello, G., Susilo, W., Gollmann, D., Kirda, E., Liang, Z. (eds.) 14th ACM Symposium on Information, ASIACCS 2019. Computer and Communications Security, Auckland, New Zealand, 9–12 July 2019, pp. 427–440. ACM Press (2019)

    Google Scholar 

  49. Ros, L., Sabater i Pruna, A., Thomas, F.: An ellipsoid calculus based on propagation and fusion. IEEE Trans. Syst. Man Cybern. Part B (Cybern.) 32, 430–443 (2002)

    Google Scholar 

  50. Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  51. Sepulveda, J., Zankl, A., Mischke, O.: Cache attacks and countermeasures for NTRUEncrypt on MPSoCs: post-quantum resistance for the IoT. In: 2017 30th IEEE International System-on-Chip Conference (SOCC), pp. 120–125 (2017)

    Google Scholar 

  52. Tsunoo, Y.: Crypt-analysis of block ciphers implemented on computers with cache. In: Proceedings of the ISITA2002, October 2002

    Google Scholar 

  53. Villanueva-Polanco, R.: Cold boot attacks on bliss. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 40–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_3

    Chapter  Google Scholar 

  54. Wang, Z., Shen, X., Zhu, Y.: On equivalence of major relaxation methods for minimum ellipsoid covering intersection of ellipsoids. Automatica 103, 337–345 (2019)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviewers for their insightful technical comments as well as their comments to improve the presentation. We would also like to thank Léo Ducas and Mélissa Rossi for helpful technical discussions.

Author information

Authors and Affiliations

  1. University of Maryland, College Park, USA

    Dana Dachman-Soled, Tom Hanson & Hunter Kippen

  2. Intel Labs, Hillsboro, USA

    Huijing Gong

Authors
  1. Dana Dachman-Soled
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huijing Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tom Hanson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hunter Kippen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dana Dachman-Soled .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dachman-Soled, D., Gong, H., Hanson, T., Kippen, H. (2023). Revisiting Security Estimation for LWE with Hints from a Geometric Perspective. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38554-4_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38553-7

  • Online ISBN: 978-3-031-38554-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation