Abstract
As an invited speaker of the ACISP 2017 conference, Dongxi Liu recently introduced a new lattice-based encryption scheme (joint work with Li, Kim and Nepal) designed for lightweight IoT applications. The new scheme, which has been submitted to the NIST post-quantum competition, is based on a variant of standard LWE called Compact-LWE, but is claimed to achieve high security levels in considerably smaller dimensions than usual lattice-based schemes. In fact, the proposed parameters, allegedly suitable for 138-bit security, involve the Compact-LWE assumption in dimension only 13.
In this paper, we show that this particularly aggressive choice of parameters fails to achieve the stated security level. More precisely, we show that ciphertexts in the new encryption scheme can be decrypted using the public key alone with >99.9% probability in a fraction of a second on a standard PC. We also describe a more advanced attack which, given the public key, recovers a secret key essentially equivalent to the correct one (in the sense that it correctly decrypts ciphertexts with \(100\%\) probability as fast as legitimate decryption) in a little more than a second.
Furthermore, even setting aside parameter choices, our results show that the ways in which Compact-LWE departs from usual LWE-based encryption schemes do not appear to enhance security in any meaningful way.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We compute a basis \(L \in \mathbb {Z}^{m \times m}\) of \(\varLambda ^\perp (A)\) as follows: Consider a lattice \(\varLambda (A) = \{ \varvec{x} \in \mathbb {Z}^m : \exists \varvec{s} \in \mathbb {Z}_q^n, A \varvec{s} \equiv \varvec{x} \pmod {q} \}\). Let \(Z \in \mathbb {Z}^{m \times m}\) be a basis of \(\varLambda (A)\). We compute \(L = q Z^{-T} \in \mathbb {Z}^{m \times m}\), a basis of \(\varLambda ^\perp (A) = q \widehat{\varLambda (A)}\), where \(\widehat{\varLambda (A)}\) is a dual lattice of \(\varLambda (A)\).
References
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S., (eds.) USENIX Security 2016, pp. 327–343. USENIX Association (2017)
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016). http://eprint.iacr.org/2016/461
Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS – kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017) http://eprint.iacr.org/2017/634
Bootle, J., Tibouchi, M., Xagawa. K.: Cryptanalysis of Compact-LWE. Cryptology ePrint Archive, Report 2017/742, (2017) http://eprint.iacr.org/2017/742. Full version of this paper
Bootle, J., Tibouchi, M., Xagawa, K.: Cryptanalysis of new Compact-LWE. GitHub Gist source code of the ciphertext recovery attack on the NIST version, December 2017 https://gist.github.com/xagawa/ee91d51a56bda5292235e52640f57707
Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! practical post-quantum public-key encryption from LWE and LWR. Cryptology ePrint Archive, Report 2016/1126 (2016). http://eprint.iacr.org/2016/1126
The FPLLL Development Team: FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
Galbraith, S.D.: Space-efficient variants of cryptosystems based on learning with errors.(2012). https://www.math.auckland.ac.nz/~sgal018/compact-LWE.pdf
Herold, G., May, A.: LP solutions of vectorial integer subset sums – cryptanalysis of Galbraith’s binary matrix LWE. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 3–15. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_1
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Liu, D.: Compact-LWE for lightweight public key encryption and leveled IoT authentication. In: Pierpzyk, J., Suriadi, S. (eds.) ACISP 2017, Part I. LNCS, vol. 10342, p. 16. Springer, Heidelberg (2017)
Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE: Enabling practically lightweight public key encryption for leveled IoT device authentication. Cryptology ePrint Archive, Report 2017/685 (2017). http://eprint.iacr.org/2017/685
Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE (2018)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Peikert, C.: A decade of lattice cryptography. Cryptology ePrint Archive, Report 2015/939 (2015). http://eprint.iacr.org/2015/939
Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_22
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005)
The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.0) (2017). https://www.sagemath.org
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Bootle, J., Tibouchi, M., Xagawa, K. (2018). Cryptanalysis of Compact-LWE. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-76953-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76952-3
Online ISBN: 978-3-319-76953-0
eBook Packages: Computer ScienceComputer Science (R0)