Abstract
Primal attack is a typically considered strategy to estimate the hardness of cryptosystem based on learning with errors problem (LWE), it reduces the LWE problem to the unique-SVP by embedding technique and then employs lattice reduction such as BKZ to find the shortest vector. The main reason for the popularity of primal attack is its conservative estimation, in general, the complexity of primal attack is estimated by the hardness of core-SVP as \({\cal T} = {2^{0.292b}}\). In this work, we first revisit primal attack and give supplemental proof of the scaling factor in Bai-Galbraith embedding, whose value was given according to the experimental results. Then we refine primal attack in two special cases and analyze the variants in detail. One is that, for sparse secret LWE (or sparse secret-error LWE), primal attack with dropping makes a trade-off between guessing zero components and solving dimension-reduced problems to improve the complexity. The other is that, when \({{\cal T}_{{\rm{BKZ}}}}(b) = {\rm{poly}}(d) \cdot {{\cal T}_{{\rm{Sieve}}}}(b)\) holds in practice, primal attack with preprocessing reduces the time complexity by a factor of 26−210 through dividing primal attack into three steps and considering them independently.
Similar content being viewed by others
References
Regev O. On lattices, learning with errors, random linear codes, and cryptography. J ACM, 2009, 56: 1–40
Alkim E, Ducas L, Pöppelmann T, et al. Post-quantum key exchange — a new hope. In: Proceedings of the 25th USENIX Security Symposium, Austin, 2016. 327–343
Bos J W, Costello C, Ducas L, et al. Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, Vienna, 2016. 1006–1018
Brakerski Z, Vaikuntanathan V. Efficient fully homomorphic encryption from standard LWE. SIAM J Comput, 2014, 42: 831–871
Lyubashevsky V. Lattice signatures without trapdoors. In: Proceedings of Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2012. 738–755
Garg S, Gentry C, Halevi S. Candidate multilinear maps from ideal lattices. In: Proceedings of Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2013
Albrecht M R. On dual lattice attacks against small-secret LWE and parameter choices in helib and SEAL. In: Proceedings of Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2017. 103–129
Wunderer T. A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. J Math Cryptol, 2019, 13: 1–26
Guo Q, Johansson T, Martensson E, et al. Coded-BKW with sieving. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, 2017. 323–346
Bai S, Galbraith S D, Li L Z, et al. Improved combinatorial algorithms for the inhomogeneous short integer solution problem. J Cryptol, 2019, 32: 35–83
Albrecht M R, Cid C, Faugére J C, et al. Algebraic algorithms for LWE problems. ACM Commun Comput Algebra, 2015, 49: 62
Albrecht M R, Fitzpatrick R, Göpfert F. On the efficacy of solving LWE by reduction to unique-svp. In: Proceedings of International Conference on Information Security and Cryptology, 2013. 293–310
Bai S, Galbraith S D. Lattice decoding attacks on binary LWE. In: Proceedings of Australasian Conference on Information Security and Privacy, 2014. 322–337
Albrecht M R, Göpfert F, Virdia F, et al. Revisiting the expected cost of solving usvp and applications to LWE. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, 2017. 297–322
Albrecht M R, Curtis B R, Wunderer T. Exploring trade-offs in batch bounded distance decoding. In: Proceedings of International Conference on Selected Areas in Cryptography, 2019. 467–491
Albrecht M R, Player R, Scott S. On the concrete hardness of learning with errors. J Math Cryptol, 2015, 9: 169–203
Gama N, Nguyen P Q. Predicting lattice reduction. In: Proceedings of Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2008. 31–51
Chen Y M. Réduction de réseau et sécurité concrete du chiffrement completement homomorphe. Dissertation for Ph.D. Degree. Paris: École Normale Supérieure, 2013
Hanrot G, Pujol X, Stehlé D. Analyzing blockwise lattice algorithms using dynamical systems. In: Proceedings of Annual Cryptology Conference, 2011. 447–464
Kannan R. Minkowski’s convex body theorem and integer programming. Math Oper Res, 1987, 12: 415–440
Chen Y M, Nguyen P Q. BKZ 2.0: better lattice security estimates. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, 2011
Acknowledgements
This work was supported by National Key Research and Development Program of China (Grant Nos. 2017YFA0303903, 2018YFA0704701), Major Program of Guangdong Basic and Applied Research (Grant No. 2019B030302008), and Major Scientific and Technological Innovation Project of Shandong Province (Grant No. 2019JZZY010133).
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
About this article
Cite this article
Zhang, X., Zheng, Z. & Wang, X. A detailed analysis of primal attack and its variants. Sci. China Inf. Sci. 65, 132301 (2022). https://doi.org/10.1007/s11432-020-2958-9
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-020-2958-9