A Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE

Abstract

Recently, an increasing amount of papers proposing post-quantum schemes also provide concrete parameter sets aiming for concrete post-quantum security levels. Security evaluations of such schemes need to include all possible attacks, in particular those by quantum adversaries. In the case of lattice-based cryptography, currently existing quantum attacks are mainly classical attacks, carried out with quantum basis reduction as subroutine.

In this work, we propose a new quantum attack on the learning with errors (LWE) problem, whose hardness is the foundation for many modern lattice-based cryptographic constructions. Our quantum attack is based on Howgrave-Graham’s Classical Hybrid Attack and is suitable for LWE instances in recent cryptographic proposals. We analyze its runtime complexity and optimize it over all possible choices of the attack parameters. In addition, we analyze the concrete post-quantum security levels of the parameter sets proposed for the New Hope and Frodo key exchange schemes, as well as several instances of the Lindner-Peikert encryption scheme. Our results show that – depending on the assumed basis reduction costs – our Quantum Hybrid Attack either significantly outperforms, or is at least comparable to all other attacks covered by Albrecht–Player–Scott in their work “On the concrete hardness of Learning with Errors”. We further show that our Quantum Hybrid Attack improves upon the Classical Hybrid Attack in the case of LWE with binary error.

Appendices

A About the constant in Theorem 1

Brassard–Hoyer–Mosca–Tapp [9] give two different results about amplitude amplification: one for known probability a, and one if a is unknown. One disadvantage of the result about amplification with unknown a is that it is an asymptotic result (see Theorem 1). Such results give a way to group algorithms into complexity classes, but are of limited value for runtime estimations on concrete instances, since the constant factor is unknown. In this section, we show that the hidden constant factor of Theorem 1 is small.

In the analysis of their algorithm with known a, Brassard–Hoyer–Mosca–Tapp show that the success probability of their quantum amplification algorithm after m rounds is given by \(p = \sin ^2((2m+1)\theta _a)\) with \(\theta _a\) such that \(\sin ^2(\theta _a) = a\).

Our goal in this section is to produce an algorithm that succeeds at least with \(p=1/2\). This leads to

$$\begin{aligned} p \ge \frac{1}{2}&\Leftrightarrow \sin ((2m+1)\theta _a) \ge \frac{1}{\sqrt{2}}\\&\Leftrightarrow \frac{1}{4}\pi \le (2m+1)\theta _a \le \frac{3}{4}\pi \\&\Leftrightarrow \frac{\pi }{4 (2m+1)} \le \theta _a \le \frac{3\pi }{4(2m+1)}\\&\Leftrightarrow \sin ^2\left( \frac{\pi }{4 (2m+1)}\right) \le a\le \sin ^2\left( \frac{3\pi }{4(2m+1)}\right) \end{aligned}$$

Since m is big in our applications, we can approximate the bounds by

$$\begin{aligned} a\in \left[ \frac{\pi ^2}{64m^2}, \frac{9\pi ^2}{64m^2}\right] \end{aligned}$$

(9)

Assume we know that \(a\in [b_{min}, b_{max}]\). In the following, we find a sequence of rounds \(m_0, \dots , m_k\) such that \([b_{min}, b_{max}] \subseteq \bigcup _i \left[ \frac{\pi ^2}{64 m_i^2}, \frac{9\pi ^2}{64 m_i^2}\right] \). Given this sequence, we can find a solution as follows. We start with running the algorithm for \(m_0\) rounds. If this succeeds, we found a solution. If not, we run the algorithm for \(m_1\) rounds, and so on. After the last run (with \(m_k\) rounds) at least one of the algorithm calls had a success probability of at least 1/2, so the overall success probability is at least 1/2.

To find the sequence of \(m_i\), we start with selecting \(m_0\) such that \(\frac{9\pi ^2}{64 m_0^2} = b_{max}\), which is equivalent to \(m_0 = \frac{3\pi }{8 \sqrt{b_{max}}}\). The other \(m_i\) are then defined iteratively by selecting \(m_{i+1}\) such that \(\frac{9\pi ^2}{64 m_{i+1}^2} = \frac{\pi ^2}{64 m_{i}^2}\), which is equivalent to \(m_{i+1} = 3 m_i,\) which in turn leads directly to \(m_i = 3^{i+1} \frac{\pi }{8 \sqrt{b_{max}}}\). The second condition of our sequence is that \(\frac{\pi ^2}{64 m_{k}^2} \le b_{min}\). A simple calculation shows that this is equivalent to \(3^{2k+2} \ge \frac{b_{max}}{b_{min}}\). Finally, we take a look at the special when a is distributed according to a Gaussian distribution. By the definition of the Gaussian distribution, we have

$$ \Pr [D_\sigma = x] = c\exp \left( -\frac{x^2}{2 \sigma ^2} \right) , $$

which leads directly to \(b_{min} = c\). It is common knowledge that with overwhelming probability, only elements smaller than \(14\sigma \) get sampled, so we set

$$ b_{max} = c\exp \left( -\frac{(14\sigma )^2}{2\sigma ^2}\right) = c \exp (-98). $$

Consequently, we require \(3^{2k+2} \ge \frac{c}{c \exp (-98)} = \exp (98),\) which is satisfied for \(k\ge 45\) (Tables 4 and 5).

B Hardness Tables for Lindner/Peikert LWE

Table 4. Quantum security estimates for Lindner-Peikert parameter using enumeration as SVP oracle. Table shows the base-two logarithm of the expected runtimes.

Table 5. Quantum security estimates for Lindner-Peikert parameter using enumeration as SVP oracle. Table shows the base-two logarithm of the expected runtimes.