Abstract
In the Learning with Errors (LWE) problem we are given a matrix \(A\in \mathbb {Z}_q^{N \times N}\) and a target vector \(\boldsymbol{t}\in \mathbb {Z}_q^N\) such that there exists small-norm \(\boldsymbol{s}, \boldsymbol{e}\in \mathbb {Z}_q^N\) satisfying \(A\cdot \boldsymbol{s}= \boldsymbol{t}+ \boldsymbol{e}\bmod q\). Modern cryptosystems often sample \(\boldsymbol{s}, \boldsymbol{e}\) from narrow distributions that take integer values in a small range \([-\eta , \eta ].\) Kyber and Dilithium both choose \(\eta =2\) and \(\eta =3\) using either a Centered Binomial distribution (Kyber), or a Uniform distribution (Dilithium).
In this work, we address the fundamental question how hard the enumeration of LWE secret keys for narrow distributions with \(\eta \le 3\) is. At Crypto 21, May proposed a representation-based algorithm for enumerating ternary keys, i.e. the case \(\eta = 1\), with a fixed number of \(\pm 1\) entries. In this work, we extend May’s algorithm in several ways.
First, we show how to deal with keys sampled from a probability distribution as in many modern systems like Kyber and Dilithium, rather than with keys having a fixed number of entries.
Second, we generalize to larger values \(\eta = 2, 3\), thereby achieving asymptotic key guess complexities that are not far off from lattice estimates.
E.g. for Kyber’s Centered Binomial distribution we achieve heuristic time/memory complexities of \(\mathcal {O}(2^{0.36N})\) for \(\eta =2\), and \(\mathcal {O}(2^{0.37N})\) for \(\eta =3\). For Dilithium’s Uniform distribution we achieve heuristic complexity \(\mathcal {O}(2^{0.38N})\) for \(\eta =2\).
Let \(\mathcal {S}\) be the Shannon entropy of Kyber/Dilithium keys. Then our algorithms runs in time about \(\mathcal{S}^{\frac{1}{6}}\), which greatly improves over the standard combinatorial Meet-in-the-Middle attack with complexity \(\mathcal{S}^{\frac{1}{2}}\).
Our results also compare well to current lattice asymptotics of \(2^{0.29 \beta }\), where the lattice parameter \(\beta \) is roughly of size \(\frac{4}{5} N\). Thus, our analysis supports that Kyber secret keys are indeed hard to enumerate. Yet, we find it remarkable that a purely combinatorial key search is almost competitive with highly evolved lattice sieving techniques.
Funded by Deutsche Forschungsgemeinschaft (DFG) - Project number 465120249.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This conclusion is of course only valid relative to our algorithm. Relative to other algorithms like lattice reduction the key security might be behave differently.
References
Becker, A., Coron, J.-S., Joux, A.: Improved generic algorithms for hard knapsacks. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 364–385. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_21
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{n/20}\): how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: round 2 specification (2019)
Bonnetain, X., Bricout, R., Schrottenloher, A., Shen, Y.: Improved classical and quantum algorithms for subset-sum. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 633–666. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_22
Bos, J., et al.: Crystals-kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 1–36 (2014)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput. 43(2), 831–871 (2014)
Chen, C., et al.: NTRU algorithm specifications and supporting documentation. Brown University and Onboard security company, Wilmington, USA (2019)
D’Anvers, J.-P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16
Devadas, S., Ren, L., Xiao, H.: On iterative collision search for LPN and subset sum. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 729–746. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_24
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Esser, A., May, A., Verbel, J., Wen, W.: Partial key exposure attacks on bike, rainbow and NTRU. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. Lncs, vol. 13509, pp. 346–375. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15982-4_12
Esser, A., May, A., Zweydinger, F.: McEliece needs a break - solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 433–457. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_16
Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_12
May, A.: How to meet ternary LWE keys. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 701–731. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_24
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomization and Probabilistic Techniques in Algorithms and Data Analysis. Cambridge University Press, Cambridge (2017)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93. Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1060590.1060603
Silverman, J.H., Odlyzko, A.: A meet-in-the-middle attack on an NTRU private key. Preprint (1997)
Waterhouse, W.C.: How often do determinants over finite fields vanish? Discret. Math. 65(1), 103–104 (1987). https://doi.org/10.1016/0012-365X(87)90217-2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Full Parameter Sets: Ternary, Binomial, and Uniform
A Full Parameter Sets: Ternary, Binomial, and Uniform
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Glaser, T., May, A. (2023). How to Enumerate LWE Keys as Narrow as in Kyber/Dilithium. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_4
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)