How to Enumerate LWE Keys as Narrow as in Kyber/Dilithium

Abstract

In the Learning with Errors (LWE) problem we are given a matrix \(A\in \mathbb {Z}_q^{N \times N}\) and a target vector \(\boldsymbol{t}\in \mathbb {Z}_q^N\) such that there exists small-norm \(\boldsymbol{s}, \boldsymbol{e}\in \mathbb {Z}_q^N\) satisfying \(A\cdot \boldsymbol{s}= \boldsymbol{t}+ \boldsymbol{e}\bmod q\). Modern cryptosystems often sample \(\boldsymbol{s}, \boldsymbol{e}\) from narrow distributions that take integer values in a small range \([-\eta , \eta ].\) Kyber and Dilithium both choose \(\eta =2\) and \(\eta =3\) using either a Centered Binomial distribution (Kyber), or a Uniform distribution (Dilithium).

In this work, we address the fundamental question how hard the enumeration of LWE secret keys for narrow distributions with \(\eta \le 3\) is. At Crypto 21, May proposed a representation-based algorithm for enumerating ternary keys, i.e. the case \(\eta = 1\), with a fixed number of \(\pm 1\) entries. In this work, we extend May’s algorithm in several ways.

First, we show how to deal with keys sampled from a probability distribution as in many modern systems like Kyber and Dilithium, rather than with keys having a fixed number of entries.

Second, we generalize to larger values \(\eta = 2, 3\), thereby achieving asymptotic key guess complexities that are not far off from lattice estimates.

E.g. for Kyber’s Centered Binomial distribution we achieve heuristic time/memory complexities of \(\mathcal {O}(2^{0.36N})\) for \(\eta =2\), and \(\mathcal {O}(2^{0.37N})\) for \(\eta =3\). For Dilithium’s Uniform distribution we achieve heuristic complexity \(\mathcal {O}(2^{0.38N})\) for \(\eta =2\).

Let \(\mathcal {S}\) be the Shannon entropy of Kyber/Dilithium keys. Then our algorithms runs in time about \(\mathcal{S}^{\frac{1}{6}}\), which greatly improves over the standard combinatorial Meet-in-the-Middle attack with complexity \(\mathcal{S}^{\frac{1}{2}}\).

Our results also compare well to current lattice asymptotics of \(2^{0.29 \beta }\), where the lattice parameter \(\beta \) is roughly of size \(\frac{4}{5} N\). Thus, our analysis supports that Kyber secret keys are indeed hard to enumerate. Yet, we find it remarkable that a purely combinatorial key search is almost competitive with highly evolved lattice sieving techniques.

Funded by Deutsche Forschungsgemeinschaft (DFG) - Project number 465120249.

A Full Parameter Sets: Ternary, Binomial, and Uniform

Table 12. Parameter sets for Ternary distributions (left, Rep-2) and Centered Binomial and Uniform distributions (right, Rep-3).