Memory-Efficient Attacks on Small LWE Keys
Abstract
Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length n we improve the best known time complexity for polynomial memory algorithms from down-to . We obtain even larger gains for LWE secrets in with as found in Kyber and Dilithium. For example, for uniformly random keys in as is the case for Dilithium we improve the previously best time under polynomial memory restriction from down-to . Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).
References
[1]
G. Adj, D. Cervantes-Vázquez, J.J. Chi-Domínguez, A. Menezes, F. Rodríguez-Henríquez, On the cost of computing isogenies between supersingular elliptic curves, in C. Cid, M.J. Jacobson Jr, editors, SAC 2018. LNCS, vol. 11349 (Springer, Heidelberg, 2019), pp. 322–343.
[2]
M.R. Albrecht, S. Bai, L. Ducas, A subfield lattice attack on overstretched NTRU assumptions—cryptanalysis of some FHE and graded encoding schemes, in M. Robshaw, J. Katz, editors, CRYPTO 2016, Part I. LNCS, vol. 9814 (Springer, Heidelberg, 2016), pp. 153–178.
[3]
M.R. Albrecht, S. Bai, P.A. Fouque, P. Kirchner, D. Stehlé, W. Wen, Faster enumeration-based lattice reduction: root Hermite factor time , in D. Micciancio, T. Ristenpart, editors, CRYPTO 2020, Part II. LNCS, vol. 12171 (Springer, Heidelberg, 2020), pp. 186–212.
[4]
A. Becker, J.S. Coron, A. Joux, Improved generic algorithms for hard knapsacks, in K.G. Paterson, editor, EUROCRYPT 2011. LNCS, vol. 6632 (Springer, Heidelberg, 2011), pp. 364–385.
[5]
A. Becker, A. Joux, A. May, A. Meurer, Decoding random binary linear codes in : how 1 + 1 = 0 improves information set decoding, in D. Pointcheval, T. Johansson, editors, EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 520–536.
[6]
E. Bellini, J. Chavez-Saab, J.J. Chi-Domínguez, A. Esser, S. Ionica, L. Rivera-Zamarripa, F. Rodríguez-Henríquez, M. Trimoska, F. Zweydinger, Parallel isogeny path finding with limited memory, in Progress in Cryptology–INDOCRYPT 2022: 23rd International Conference on Cryptology in India, Kolkata, India, December 11–14, 2022, Proceedings (Springer, 2023), pp. 294–316
[7]
D.J. Bernstein, C. Chuengsatiansup, T. Lange, C. van Vredendaal, NTRU prime: reducing attack surface at low cost, in C. Adams, J. Camenisch, editors, SAC 2017. LNCS, vol. 10719 (Springer, Heidelberg, 2017), pp. 235–260.
[8]
L. Bi, X. Lu, J. Luo, K. Wang, Hybrid dual and meet-LWE attack, in Information Security and Privacy: 27th Australasian Conference, ACISP 2022, Wollongong, NSW, Australia, November 28–30, 2022, Proceedings (Springer, 2022). pp. 168–188
[9]
X. Bonnetain, R. Bricout, A. Schrottenloher, Y. Shen, Improved classical and quantum algorithms for subset-sum, in S. Moriai, H. Wang, editors, ASIACRYPT 2020, Part II. LNCS, vol. 12492 (Springer, Heidelberg, 2020), pp. 633–666.
[10]
J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J.M. Schanck, P. Schwabe, G. Seiler, D. Stehlé, Crystals-kyber: a CCA-secure module-lattice-based KEM, in 2018 IEEE European Symposium on Security and Privacy (EuroS &P) (IEEE, 2018), pp. 353–367
[11]
J.W. Bos, M.E. Kaihara, T. Kleinjung, A.K. Lenstra, P.L. Montgomery, Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Cryptogr.2(3), 212–228 (2012)
[12]
R. Bricout, A. Chailloux, T. Debris-Alazard, M. Lequesne, Ternary syndrome decoding with large weight, in K.G. Paterson, D. Stebila, editors, SAC 2019. LNCS, vol. 11959 (Springer, Heidelberg, 2019), pp. 437–466.
[13]
K. Carrier, V. Hatey, J. Tillich, Projective space stern decoding and application to SDitH. IACR Cryptol. ePrint Arch (2023), p. 1865. https://eprint.iacr.org/2023/1865
[14]
C. Delaplace, A. Esser, A. May, Improved low-memory subset sum and LPN algorithms via multiple collisions, in M. Albrecht, editor, 17th IMA International Conference on Cryptography and Coding. LNCS, vol. 11929 (Springer, Heidelberg, 2019), pp. 178–199.
[15]
I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems, in R. Safavi-Naini, R. Canetti, editors. CRYPTO 2012. LNCS, vol. 7417 (Springer, Heidelberg, 2012), pp. 719–740.
[16]
I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Memory-efficient algorithms for finding needles in haystacks, in M. Robshaw, J. Katz, editors, CRYPTO 2016, Part II. LNCS, vol. 9815 (Springer, Heidelberg, 2016), pp. 185–206.
[17]
L. Ducas, A. Durmus, T. Lepoint, V. Lyubashevsky, Lattice signatures and bimodal Gaussians, in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part I. LNCS, vol. 8042 (Springer, Heidelberg, 2013), pp. 40–56.
[18]
L. Ducas, M. Stevens, W.P.J. van Woerden, Advanced lattice sieving on GPUs, with tensor cores, in A. Canteaut, F.X. Standaert, editors, EUROCRYPT 2021, Part II. LNCS, vol. 12697 (Springer, Heidelberg, 2021), pp. 249–279.
[19]
A. Esser, R. Girme, A. Mukherjee, S. Sarkar, Memory-efficient attacks on small LWE keys, in J. Guo, R. Steinfeld, editors, Advances in Cryptology—ASIACRYPT 2023—29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou, China, December 4–8, 2023, Proceedings, Part IV. Lecture Notes in Computer Science, vol. 14441 (Springer, 2023), pp. 72–105.
[20]
A. Esser, A. May, Low weight discrete logarithm and subset sum in with polynomial memory, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part III. LNCS, vol. 12107 (Springer, Heidelberg, 2020), pp. 94–122.
[21]
A. Esser, A. May, F. Zweydinger, McEliece needs a break—solving McEliece-1284 and quasi-cyclic-2918 with modern ISD, in O. Dunkelman, S. Dziembowski, editors, EUROCRYPT 2022, Part III. LNCS, vol. 13277 (Springer, Heidelberg, 2022), pp. 433–457.
[22]
A. Esser, P. Santini, Not just regular decoding: asymptotics and improvements of regular syndrome decoding attacks. IACR Cryptol. ePrint Arch (2023), p. 1568. https://eprint.iacr.org/2023/1568
[23]
A. Esser, F. Zweydinger, New time-memory trade-offs for subset sum—improving ISD in theory and practice, in C. Hazay, M. Stam, editors, Advances in Cryptology—EUROCRYPT 2023—42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23–27, 2023, Proceedings, Part V. Lecture Notes in Computer Science, vol. 14008 (Springer, 2023), pp. 360–390.
[24]
N. Gama, P.Q. Nguyen, O. Regev, Lattice enumeration using extreme pruning, in H. Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, Heidelberg, 2010), pp. 257–278.
[25]
C. Gentry, Fully homomorphic encryption using ideal lattices, in M. Mitzenmacher, editor, 41st ACM STOC (ACM Press, 2009). pp. 169–178.
[26]
T. Glaser, A. May, How to enumerate LWE keys as narrow as in Kyber/Dilithium, in International Conference on Cryptology and Network Security (Springer, 2023), pp. 75–100
[27]
T. Güneysu, V. Lyubashevsky, T. Pöppelmann, Practical lattice-based cryptography: a signature scheme for embedded systems, in E. Prouff, P. Schaumont, editors, CHES 2012. LNCS, vol. 7428 (Springer, Heidelberg, 2012), pp. 530–547.
[28]
M. Hhan, J. Kim, C. Lee, Y. Son, How to meet ternary LWE keys on Babai’s nearest plane. Cryptology ePrint Archive (2022)
[29]
J. Hoffstein, J. Pipher, J.H. Silverman, NTRU: a ring-based public key cryptosystem, in Third Algorithmic Number Theory Symposium (ANTS). LNCS, vol. 1423 (Springer, Heidelberg, 1998), pp. 267–288
[30]
N. Howgrave-Graham, A hybrid lattice-reduction and meet-in-the-middle attack against NTRU, in A. Menezes, editor, CRYPTO 2007. LNCS, vol. 4622 (Springer, Heidelberg, 2007), pp. 150–169.
[31]
N. Howgrave-Graham, A. Joux, New generic algorithms for hard knapsacks, in H. Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, Heidelberg, 2010), pp. 235–256.
[32]
A. Hülsing, J. Rijneveld, J.M. Schanck, P. Schwabe, High-speed key encapsulation from NTRU, in W. Fischer, N. Homma, editors, CHES 2017. LNCS, vol. 10529 (Springer, Heidelberg, 2017), pp. 232–252.
[33]
V. Lyubashevsky, Lattice signatures without trapdoors, in D. Pointcheval, T. Johansson, editors, EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 738–755.
[34]
V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in H. Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, Heidelberg, 2010), pp. 1–23.
[35]
A. May, How to meet ternary LWE keys, in T. Malkin, C. Peikert, editors, CRYPTO 2021, Part II. LNCS, vol. 12826 (Springer, Heidelberg, Virtual Event, 2021), pp. 701–731.
[36]
A. May, A. Meurer, E. Thomae, Decoding random linear codes in , in D.H. Lee, X. Wang, editors, ASIACRYPT 2011. LNCS, vol. 7073 (Springer, Heidelberg, 2011), pp. 107–124.
[37]
D.H. Nguyen, T.T. Nguyen, T.N. Duong, P.H. Pham, Cryptanalysis of md5 on GPU cluster, in Proceedings of International Conference on Information Security and Artificial Intelligence, vol. 2 (2010), pp. 910–914
[38]
R. Niederhagen, K.C. Ning, B.Y. Yang, Implementing Joux-Vitse’s crossbred algorithm for solving systems over on GPUs, in T. Lange, R. Steinwandt, editors, Post-Quantum Cryptography—9th International Conference, PQCrypto 2018 (Springer, Heidelberg, 2018). pp. 121–141.
[39]
C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: extended abstract, in M. Mitzenmacher, editor, 41st ACM STOC (ACM Press, 2009). pp. 333–342.
[40]
E. Prange, The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory8(5), 5–9 (1962)
[41]
O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in H.N. Gabow, R. Fagin, editors, 37th ACM STOC (ACM Press, 2005). pp. 84–93.
[42]
D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in M. Matsui, editor, ASIACRYPT 2009. LNCS, vol. 5912 (Springer, Heidelberg, 2009), pp. 617–635.
[43]
P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol.12(1), 1–28 (1999).
[44]
C. van Vredendaal, Reduced memory meet-in-the-middle attack against the NTRU private key. LMS J. Comput. Math.19(1), 43–57 (2016).
[45]
H. Zhu, S. Kamada, M. Kudo, T. Takagi, Improved hybrid attack via error-splitting method for finding quinary short lattice vectors, in J. Shikata, H. Kuzuno, editors, Advances in Information and Computer Security—18th International Workshop on Security, IWSEC 2023, Yokohama, Japan, August 29–31, 2023, Proceedings. Lecture Notes in Computer Science, vol. 14128 (Springer, 2023), pp. 117–136.
Index Terms
- Memory-Efficient Attacks on Small LWE Keys
Index terms have been assigned to the content through auto-classification.
Recommendations
Memory-Efficient Attacks on Small LWE Keys
Advances in Cryptology – ASIACRYPT 2023AbstractThe LWE problem is one of the prime candidates for building the most efficient post-quantum secure public key cryptosystems. Many of those schemes, like Kyber, Dilithium or those belonging to the NTRU-family, such as NTRU-HPS, -HRSS, BLISS or GLP, ...
KDM and Selective Opening Secure IBE Based on the LWE Problem
APKC '17: Proceedings of the 4th ACM International Workshop on ASIA Public-Key CryptographyBased on the learning with errors (LWE) problem, we construct an identity-based encryption (IBE) scheme in the standard-model which is secure against the key dependent message (KDM) attacks and the selective opening (SO) attacks. KDM security, which ...
How to Meet Ternary LWE Keys
Advances in Cryptology – CRYPTO 2021AbstractThe LWE problem with its ring variants is today the most prominent candidate for building efficient public key cryptosystems resistant to quantum computers. NTRU-type cryptosystems use an LWE-type variant with small max-norm secrets, usually with ...
Comments
Information & Contributors
Information
Published In
© International Association for Cryptologic Research 2024. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 20 August 2024
Accepted: 16 July 2024
Revision received: 14 July 2024
Received: 26 January 2024
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 06 Jan 2025