Abstract
All modern lattice-based schemes build on variants of the LWE problem. Information leakage of the LWE secret \({\textbf {s}} \in \mathbb {Z}_q^n\) is usually modeled via so-called hints, i.e., inner products of \({\textbf {s}}\) with some known vector.
At Crypto‘20, Dachman-Soled, Ducas, Gong and Rossi (DDGR) defined among other so-called perfect hints and modular hints. The trailblazing DDGR framework allows to integrate and combine hints successively into lattices, and estimates the resulting LWE security loss.
We introduce a new methodology to integrate and combine an arbitrary number of perfect and modular in a single stroke. As opposed to DDGR’s, our methodology is significantly more efficient in constructing lattice bases, and thus easily allows for a large number of hints up to cryptographic dimensions – a regime that is currently impractical in DDGR’s implementation. The efficiency of our method defines a large LWE parameter regime, in which we can fully carry out attacks faster than DDGR can solely estimate them.
The benefits of our approach allow us to practically determine which number of hints is sufficient to efficiently break LWE-based lattice schemes in practice. E.g., for mod-q hints, i.e., modular hints defined over \(\mathbb {Z}_q\), we reconstruct Kyber-512 secret keys via LLL reduction (only!) with an amount of 449 hints.
Our results for perfect hints significantly improve over these numbers, requiring for LWE dimension n roughly n/2 perfect hints. E.g., we reconstruct via LLL reduction Kyber-512 keys with merely 234 perfect hints. If we resort to stronger lattice reduction techniques like BKZ, we need even fewer hints.
For mod-q hints our method is extremely efficient, e.g., taking total time for constructing our lattice bases and secret key recovery via LLL of around 20 mins for dimension 512. For perfect hints in dimension 512, we require around 3 h.
Our results demonstrate that especially perfect hints are powerful in practice, and stress the necessity to properly protect lattice schemes against leakage.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We restrict ourselves to rational matrices, because for irrational \({\textbf {B}}\) with linearly dependent rows, the resulting set \(\mathcal {L}({\textbf {B}})\) might not be a lattice.
- 2.
Here we require the hints to be linearly independent. More generally, we have \(\dim \varLambda ^{\textsf{LWE}}_{{\textbf {H}},k}= n+m+1 - {\text {rank}}_\mathbb {R}({\textbf {H}})\).
- 3.
- 4.
Equation (11) would become false, if we would allow secret-error hints.
- 5.
E.g., we cannot hope to upper bound \(\lambda _{n+1-k}(\pi _U(\varLambda ^{\textsf{LWE}}_{{\textbf {H}},k}))\) in terms of the determinant of the lattice, since it is easy to construct examples, where \(\lambda _{2}\) is arbitrarily large, while the determinant is small.
- 6.
- 7.
This is in contrast to the perfect hint setting, where embedding the hints does not increase the lattice dimension.
- 8.
We ran both the DDGR algorithm and Construct-Sublattice in Sage9.7, using the latest patch to speed up fpylll, see https://github.com/fplll/fpylll/pull/239.
References
Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: 29th Annual ACM Symposium on Theory of Computing, pp. 284–293. ACM Press (1997)
Albrecht, M.R., Ducas, L.: Lattice Attacks on NTRU and LWE: a history of refinements, pp. 15–40 (2021)
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - A new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016: 25th USENIX Security Symposium, pp. 327–343. USENIX Association (2016)
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM Press (1996)
Bos, J., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 1–36 (2014)
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_11
Coster, M.J., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.P.: An improved low-density subset sum algorithm. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 54–67. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_4
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Dachman-Soled, Dana, Ducas, Léo., Gong, Huijing, Rossi, Mélissa.: LWE with side information: attacks and concrete security estimation. In: Micciancio, Daniele, Ristenpart, Thomas (eds.) CRYPTO 2020. Part II. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12
Ducas, L., et al.: Crystals-dilithium: a lattice-based digital signature scheme. In: IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 238–268 (2018)
The FPLLL development team. fpyLLL, a Python wraper for the fpLLL lattice reduction library, Version: 0.5.7 (2021). https://github.com/fplll/fpylll
Esser, A., May, A., Verbel, J.A., Wen, W.: Partial key exposure attacks on BIKE, rainbow and NTRU. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. Part III. LNCS, vol. 13509, pp. 346–375. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15982-4_12
Fouque, P.A., et al.: Falcon: fast-Fourier lattice-based compact signatures over NTRU. Submission NIST’s Post-quantum Crypt. Stand. Process 36(5), 1–75 (2018)
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your PS and QS: detection of widespread weak keys in network devices. In: Presented as part of the 21st \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 12), pp. 205–220 (2012)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Joux, A., Stern, J.: Lattice reduction: a toolbox for the cryptanalyst. J. Cryptol. 11, 161–185 (1998)
Kölbl, S., Misoczki, R., Schmieg, S.: Securing tomorrow today: why Google now protects its internal communications from quantum threats (2022). https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms?hl=en
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Martinet, J.: Perfect Lattices in Euclidean Spaces, vol. 327. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-05167-2
May, A., Nowakowski, J.: Too many hints - when LLL breaks LWE. Cryptology ePrint Archive, Paper 2023/777 (20230. https://eprint.iacr.org/2023/777
Maze, G., Rosenthal, J., Wagner, U.: Natural density of rectangular unimodular integer matrices. Linear Algebra Appl. 434(5), 1319–1324 (2011)
Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. Cryptol. Comput. Number Theory 42(2) (1990)
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: Hatami, H., McKenzie, P., King, V. (eds.) Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, Montreal, QC, Canada, 19–23 June 2017 (2017)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press (2005)
Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Wu, H., Wang, X., Xu, G.: Reducing an LWE instance by modular hints and its applications to primal attack, dual attack and BKW attack. Cryptology ePrint Archive, Paper 2022/1404 (2022). https://eprint.iacr.org/2022/1404
Acknowledgements
We are grateful to Carl Richard Theodor Schneider and Martin R. Albrecht for help with and bug-fixing in fpylll. We thank the anonymous reviewers for their detailed comments, that helped to improve our work.
Both authors are funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - grant 465120249. Alexander May is additionally supported by grant 390781972.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
May, A., Nowakowski, J. (2023). Too Many Hints – When LLL Breaks LWE. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14441. Springer, Singapore. https://doi.org/10.1007/978-981-99-8730-6_4
Download citation
DOI: https://doi.org/10.1007/978-981-99-8730-6_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8729-0
Online ISBN: 978-981-99-8730-6
eBook Packages: Computer ScienceComputer Science (R0)