Abstract
Recently, the learning with errors (LWE) problem has become a central building block to construct modern schemes in lattice-based cryptography. The security of such schemes relies on the hardness of the LWE problem. In particular, LWE-based cryptography has been paid attention as a candidate of post-quantum cryptography. In 2015, Laine and Lauter analyzed a key recovery attack against the search variant of the LWE problem. Their analysis is based on a generalization of the Boneh–Venkatesan method for the hidden number problem to the LWE problem. They adopted the LLL algorithm and Babai’s nearest plane method in the attack, and they also demonstrated a successful range of the attack by experiments for hundreds of LWE instances. In this paper, we give a simple analysis of the attack. While Laine and Lauter’s analysis gives explicit information about the effective approximation factor in the LLL algorithm and Babai’s nearest plane method, our analysis is useful to estimate which LWE instances can be solved by the key recovery attack.
This is a fully revised paper of [21]. In particular, we apply our estimation to LWE challenge [39] in Sect. 5.3.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
M.A. Albrecht, C. Cid, J.-C. Faugère, R. Fitzpartrick, L. Perret, On the complexity of the BKW algorithm on LWE. Des. Codes Cryptogr. 74, 325–354 (2015)
M.A. Albrecht, C. Cid, J.-C. Faugère, L. Perret, Algebraic algorithms for LWE, IACR ePrint 2014/1018
Y. Aono, Y. Wang, T. Hayashi, T. Takagi, Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator, in Advances in Cryptology-EUROCRYPT 2016, vol. 9665 (Springer LNCS, 2016), pp. 789–819
S. Arora, R. Ge, New algorithms for learning in presence of errors, in Automata, Languages and Programming vol. 6755 (Springer LNCS, 2011), pp. 403–415
M.R. Albrecht, R. Player, S. Scott, On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
L. Babai, On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)
A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)
D. Boneh, R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, in Advances in Cryptology-CRYPTO 1996, vol. 1109 (Springer LNCS, 1996), pp. 129–142
Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in Innovations in Theoretical Computer Science–ITCS 2012 (ACM, 2012), pp. 309–325
Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D. Stehlé, Classical hardness of learning with errors, in Theory of Computing–STOC 2013 (ACM, 2013), pp. 575–584
Z. Brakerski, V. Vaikuntanathan, Fully homomorphic encryption from ring-LWE and security for key dependent messages, in Advances in Cryptology-CRYPTO 2011, vol. 6841 (Springer LNCS, 2011), pp. 505–524
Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in Foundations of Computer Science–FOCS 2011 (IEEE, 2011), pp. 97–106
M.R. Bremner, Lattice Basis Reduction: An Introduction to the LLL Algorithm and its Applications (CRC Press, Boca Raton, 2011)
J. Buchmann et al., Creating cryptographic challenges using muti-party computation: the LWE challenge, in AsiaPKC 2016 (ACM, 2016), pp. 11–20
Y. Chen, P.Q. Nguyen, BKZ 2.0: Better lattice security estimates, in Advances in Cryptology–ASIACRYPT 2011, vol. 7073 (Springer LNCS, 2011), pp. 1–20
S.D. Galbraith, Mathematics of Public Key Cryptography (Cambridge University Press, Cambridge, 2012)
N. Gama, P.Q. Nguyen, Predicting lattice reduction, in Advances in Cryptology-EUROCRYPT 2008, vol. 4965 (Springer LNCS, 2008), pp. 31–51
C. Gentry, S. Gorbunov, S. Halevi, Graph-induced multilinear maps from lattices, in Theory of Cryptography-TCC 2015, vol. 9015 (Springer LNCS, 2015) pp. 498–527
R. Kannan, Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)
M.J. Kearns, Y. Mansour, D. Ron, R. Rubinfeld, R.E. Schapire, L. Sellie, On the learnability of discrete distributions, in Theory of Computing–STOC 1994 (ACM, 1994) pp. 273–282
M. Kudo, J. Yamaguchi, Y. Guo, M. Yasuda, Practical analysis of key recovery attack against search-LWE problem, in International Workshop on Security-IWSEC 2016, vol. 9836 (Springer LNCS, 2016), pp. 164–181
K. Laine, K. Lauter, Key recovery for LWE in polynomial time, IACR ePrint 2015/176, (2015)
A.K. Lenstra, H.W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
M. Liu, P.Q. Nguyen, Solving BDD by enumeration: a update, in Topics in Cryptology-CT-RSA 2013, vol. 7779 (Springer LNCS, 2013), pp. 293–309
R. Lindner, C. Peikert, Better key sizes (and attacks) for LWE-based encryption, in Topics in Cryptology-CT-RSA 2011, vol. 6558 (Springer LNCS, 2011), pp. 319–339
D. Miccincio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Advances in Cryptology-EUROCRYPT 2012, vol.7237 (Springer LNCS, 2012), pp. 700–718 (2012)
D. Micciancio, O. Regev, Lattice-based cryptography, in Post Quantum Cryptography–PQCrypto 2009 (Springer, 2009), pp. 147–191
P.Q. Nguyen, B. Vallée, The LLL Algorithm, Information Security and Cryptography (Springer, Berlin, 2010)
National Institute of Standards and Technology (NIST), Report on post-quantum cryptography, http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf
The PARI Group, PARI/GP, http://pari.math.u-bordeaux.fr/
C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: Extended abstract, in Theory of Computing–STOC 2009 (ACM, 2009), pp. 333–342
C. Peikert, Challenges for Ring-LWE, http://web.eecs.umich.edu/cpeikert/rlwe-challenges/
C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput. 40(6), 1803–1844 (2011)
O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in Theory of Computing–STOC 2005 (ACM, 2005), pp. 84–93
O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009), Article No. 34
The Sage Group, SageMath: Open-Source Mathematical Software System, http://www.sagemath.org/
C.P. Schnorr, Lattice reduction by random sampling and birthday methods, in STACS 2003 (Springer LNCS 2606, 2003) pp. 145–156
C.P. Schnorr, M. Euchner, Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)
TU Darmstadt, LWE Challenge, https://www.latticechallenge.org/lwe_challenge/challenge.php
Acknowledgements
A part of this work was also supported by JSPS KAKENHI Grant Number 16H02830. The author thanks Momonari Kudo, Yang Guo, and Junpei Yamaguchi for their collecting experimental data.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Yasuda, M. (2018). Simple Analysis of Key Recovery Attack Against LWE. In: Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Kimoto, K., Duong, D. (eds) Mathematical Modelling for Next-Generation Cryptography. Mathematics for Industry, vol 29. Springer, Singapore. https://doi.org/10.1007/978-981-10-5065-7_12
Download citation
DOI: https://doi.org/10.1007/978-981-10-5065-7_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5064-0
Online ISBN: 978-981-10-5065-7
eBook Packages: EngineeringEngineering (R0)