Article

On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack

Authors:

Johannes Buchmann,

Florian Göpfert,

Thomas WundererAuthors Info & Claims

Proceedings of the 8th International Conference on Progress in Cryptology --- AFRICACRYPT 2016 - Volume 9646

Pages 24 - 43

https://doi.org/10.1007/978-3-319-31517-1_2

Published: 13 April 2016 Publication History

Abstract

The security of many cryptographic schemes has been based on special instances of the Learning with Errors LWE problem, e.g., Ring-LWE, LWE with binary secret, or LWE with ternary error. However, recent results show that some subclasses are weaker than expected. In this work we show that LWE with binary error, introduced by Micciancio and Peikert, is one such subclass. We achieve this by applying the Howgrave-Graham attack on NTRU, which is a combination of lattice techniques and a Meet-in-the-Middle approach, to this setting. We show that the attack outperforms all other currently existing algorithms for several natural parameter sets. For instance, for the parameter set $$n=256$$, $$m=512$$, $$q=256$$, this attack on LWE with binary error only requires $$2^{85}$$ operations, while the previously best attack requires $$2^{117}$$ operations. We additionally present a complete and improved analysis of the attack, using analytic techniques. Finally, based on the attack, we give concrete hardness estimations that can be used to select secure parameters for schemes based on LWE with binary error.

References

[1]

Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: Algebraic algorithms for LWE problems. In: IACR Cryptology ePrint Archive 2014, p. 1018 2014

[2]

Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 742, 325---354 2015

Digital Library

[3]

Albrecht, M.R., Faugère, J., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk {28}, pp. 429---445

Digital Library

[4]

Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the efficacy of solving LWE by reduction to unique-SVP. In: Lee, H.-S., Han, D.-G. eds. ICISC 2013. LNCS, vol. 8565, pp. 293---310. Springer, Heidelberg 2014

[5]

Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptology 93, 169---203 2015

[6]

Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. eds. ICALP 2011, Part I. LNCS, vol. 6755, pp. 403---415. Springer, Heidelberg 2011

Digital Library

[7]

Babai, L.: On Lovász' lattice reduction and the nearest lattice pointproblem. In: Mehlhorn, K. ed. STACS 85. LNCS, vol. 182, pp. 13---20. Springer, Berlin 1985

Digital Library

[8]

Babai, L.: On Lovász' lattice reduction and the nearest lattice point problem. Combinatorica 61, 1---13 1986

Digital Library

[9]

Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. eds. ACISP 2014. LNCS, vol. 8544, pp. 322---337. Springer, Heidelberg 2014

[10]

Bai, S., Galbraith, S.D., Li, L., Sheffield, D.: Improved exponential-time algorithms for inhomogeneous-sis. In: IACR Cryptology ePrint Archive 2014, p. 593 2014

[11]

Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 504, 506---519 2003

Digital Library

[12]

Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption fromstandard LWE. In: Ostrovsky, R. eds. FOCS 2011, pp. 97---106, Palm Springs, CA, USA. IEEE Computer Society, 22---25 October 2011

Digital Library

[13]

Buchmann, J., Göpfert, F., Player, R., Wunderer, T.: On the hardness of LWE with binary error: revisiting the hybridlattice-reduction and meet-in-the-middle attack. Cryptology ePrint Archive, Report 2016/089 2016. http://eprint.iacr.org/

Digital Library

[14]

Canetti, R., Garay, J.A. eds.: CRYPTO 2013, Part I. LNCS, vol. 8042. Springer, Heidelberg 2013

[15]

Chen, H., Lauter, K.E., Stange, K.E.: Attacks on search RLWE. IACR Cryptology ePrint Archive 2015, p. 971 2015

[16]

Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. eds. ASIACRYPT 2011. LNCS, vol. 7073, pp. 1---20. Springer, Heidelberg 2011

Digital Library

[17]

Duc, A., Tramèr, F., Vaudenay, S.: Better algorithms for LWE and LWR. In: Oswald, E., Fischlin, M. eds. EUROCRYPT 2015. LNCS, vol. 9056, pp. 173---202. Springer, Heidelberg 2015

[18]

Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. eds. {14}, pp. 40---56

[19]

Eisenträger, K., Hallgren, S., Lauter, K.: Weak Instances of PLWE. In: Joux, A., Youssef, A. eds. SAC 2014. LNCS, vol. 8781, pp. 183---194. Springer, Heidelberg 2014

[20]

Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-LWE. In: Gennaro, R., Robshaw, M. eds. {21}, pp. 63---92

[21]

Gennaro, R., Robshaw, M. eds.: CRYPTO 2015. LNCS, vol. 9215. Springer, Berlin 2015

[22]

Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. eds. CHES 2012. LNCS, vol. 7428, pp. 530---547. Springer, Heidelberg 2012

Digital Library

[23]

Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. eds. {21}, pp. 23---42

[24]

Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. eds. ACNS 2009. LNCS, vol. 5536, pp. 437---455. Springer, Heidelberg 2009

Digital Library

[25]

Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. ed. CRYPTO 2007. LNCS, vol. 4622, pp. 150---169. Springer, Heidelberg 2007

Digital Library

[26]

Kannan, R.: Minkowski's convex body theorem and integer programming. Math. Oper. Res. 123, 415---440 1987

[27]

Kirchner, P., Fouque, P.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. eds. {21}, pp. 43---62

[28]

Krawczyk, H. ed.: PKC 2014. LNCS, vol. 8383. Springer, Heidelberg 2014

[29]

Laine, K., Lauter, K.E.: Key recovery for LWE in polynomial time. IACR Cryptology ePrint Archive 2015, p. 176 2015

[30]

Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. ed. {28}, pp. 345---361

Digital Library

[31]

Li, S.: Concise formulas for the area and volume of a hyperspherical cap. Asian J. Math. Stat. 41, 66---70 2011

[32]

Lindner, R., Peikert, C.: Better key sizes and attacks for LWE-based encryption. In: Kiayias, A. ed. CT-RSA 2011. LNCS, vol. 6558, pp. 319---339. Springer, Heidelberg 2011

Digital Library

[33]

Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. ed. CT-RSA 2013. LNCS, vol. 7779, pp. 293---309. Springer, Heidelberg 2013

Digital Library

[34]

Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 606, 43 2013

Digital Library

[35]

Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. eds. {14}, pp. 21---39

[36]

Micciancio, D., Regev, O.: Lattice-based cryptography. Springer, Berlin 2009

[37]

Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. IACR Cryptology ePrint Archive 2015, p. 1123 2015

[38]

Olver, F.W.: NIST Handbook of Mathematical Functions. Cambridge University Press, Cambridge 2010

Digital Library

[39]

Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. eds. STOC 2009, pp. 333---342, Bethesda, MD, USA. ACM, May 31---June 2, 2009

Digital Library

[40]

Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. SIAM J. Comput. 406, 1803---1844 2011

Digital Library

[41]

Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. eds. Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 84---93, Baltimore, MD, USA. ACM, 22---24 May 2005

Digital Library

[42]

Stein, W., et al.: Sage Mathematics Software Version 6.3. The Sage Development Team 2014. http://www.sagemath.org

Cited By

Bao THe PXie JJacinto H(2024)AEKA: FPGA Implementation of Area-Efficient Karatsuba Accelerator for Ring-Binary-LWE-Based Lightweight PQCACM Transactions on Reconfigurable Technology and Systems10.1145/363721517:2(1-23)Online publication date: 30-Apr-2024
https://dl.acm.org/doi/10.1145/3637215
Nolte NMalhou MWenger EStevens SLi CCharton FLauter K(2024)The Cool and the Cruel: Separating Hard Parts of LWE SecretsProgress in Cryptology - AFRICACRYPT 202410.1007/978-3-031-64381-1_19(428-453)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-64381-1_19
He PBao TXie JAmin M(2023)FPGA Implementation of Compact Hardware Accelerators for Ring-Binary-LWE-based Post-quantum CryptographyACM Transactions on Reconfigurable Technology and Systems10.1145/356945716:3(1-23)Online publication date: 21-Jun-2023
https://dl.acm.org/doi/10.1145/3569457
Show More Cited By

Recommendations

NTWE: A Natural Combination of NTRU and LWE
Post-Quantum Cryptography
Abstract
Lattice-based cryptosystems are some of the primary post-quantum secure alternatives to the asymmetric cryptography that is used today. These lattice-based cryptosystems typically rely on the hardness of some version of either the NTRU or the LWE ...
KDM and Selective Opening Secure IBE Based on the LWE Problem
APKC '17: Proceedings of the 4th ACM International Workshop on ASIA Public-Key Cryptography

Based on the learning with errors (LWE) problem, we construct an identity-based encryption (IBE) scheme in the standard-model which is secure against the key dependent message (KDM) attacks and the selective opening (SO) attacks. KDM security, which ...
NTRUReEncrypt: An Efficient Proxy Re-Encryption Scheme Based on NTRU
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

The use of alternative foundations for constructing more secure and efficient cryptographic schemes is a topic worth exploring. In the case of proxy re-encryption, the vast majority of schemes are based on number theoretic problems such as the discrete ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Proceedings of the 8th International Conference on Progress in Cryptology --- AFRICACRYPT 2016 - Volume 9646

April 2016

353 pages

ISBN:9783319315164

Editors:
David Pointcheval
Ecole Normale Supérieure, Paris, France
,
Abderrahmane Nitaj
University of Caen, Caen, France
,
Tajjeeddine Rachidi
Al Akhawayn University in Ifrane, Ifrane, Morocco

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 13 April 2016

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bao THe PXie JJacinto H(2024)AEKA: FPGA Implementation of Area-Efficient Karatsuba Accelerator for Ring-Binary-LWE-Based Lightweight PQCACM Transactions on Reconfigurable Technology and Systems10.1145/363721517:2(1-23)Online publication date: 30-Apr-2024
https://dl.acm.org/doi/10.1145/3637215
Nolte NMalhou MWenger EStevens SLi CCharton FLauter K(2024)The Cool and the Cruel: Separating Hard Parts of LWE SecretsProgress in Cryptology - AFRICACRYPT 202410.1007/978-3-031-64381-1_19(428-453)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-64381-1_19
He PBao TXie JAmin M(2023)FPGA Implementation of Compact Hardware Accelerators for Ring-Binary-LWE-based Post-quantum CryptographyACM Transactions on Reconfigurable Technology and Systems10.1145/356945716:3(1-23)Online publication date: 21-Jun-2023
https://dl.acm.org/doi/10.1145/3569457
Guo QJohansson T(2021)Faster Dual Lattice Attacks for Solving LWE with Applications to CRYSTALSAdvances in Cryptology – ASIACRYPT 202110.1007/978-3-030-92068-5_2(33-62)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92068-5_2
May A(2021)How to Meet Ternary LWE KeysAdvances in Cryptology – CRYPTO 202110.1007/978-3-030-84245-1_24(701-731)Online publication date: 16-Aug-2021
https://dl.acm.org/doi/10.1007/978-3-030-84245-1_24
Gay RJain ALin HSahai A(2021)Indistinguishability Obfuscation from Simple-to-State Hard Problems: New Assumptions, New Techniques, and SimplificationAdvances in Cryptology – EUROCRYPT 202110.1007/978-3-030-77883-5_4(97-126)Online publication date: 17-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-030-77883-5_4
Espitau TJoux AKharchenko N(2020)On a Dual/Hybrid Approach to Small Secret LWEProgress in Cryptology – INDOCRYPT 202010.1007/978-3-030-65277-7_20(440-462)Online publication date: 13-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-65277-7_20
Son YCheon JBrenner MLepoint TRohloff K(2019)Revisiting the Hybrid Attack on Sparse Secret LWE and Application to HE ParametersProceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography10.1145/3338469.3358941(11-20)Online publication date: 11-Nov-2019
https://dl.acm.org/doi/10.1145/3338469.3358941
Albrecht MCurtis BWunderer T(2019)Exploring Trade-offs in Batch Bounded Distance DecodingSelected Areas in Cryptography – SAC 201910.1007/978-3-030-38471-5_19(467-491)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1007/978-3-030-38471-5_19
Villanueva-Polanco R(2019)Cold Boot Attacks on BlissProgress in Cryptology – LATINCRYPT 201910.1007/978-3-030-30530-7_3(40-61)Online publication date: 2-Oct-2019
https://dl.acm.org/doi/10.1007/978-3-030-30530-7_3
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents