Estimate All the {LWE, NTRU} Schemes!

  • Martin R. Albrecht
  • Benjamin R. CurtisEmail author
  • Amit Deo
  • Alex Davidson
  • Rachel Player
  • Eamonn W. Postlethwaite
  • Fernando VirdiaEmail author
  • Thomas WundererEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11035)


We consider all LWE- and NTRU-based encryption, key encapsulation, and digital signature schemes proposed for standardisation as part of the Post-Quantum Cryptography process run by the US National Institute of Standards and Technology (NIST). In particular, we investigate the impact that different estimates for the asymptotic runtime of (block-wise) lattice reduction have on the predicted security of these schemes. Relying on the “LWE estimator” of Albrecht et al., we estimate the cost of running primal and dual lattice attacks against every LWE-based scheme, using every cost model proposed as part of a submission. Furthermore, we estimate the security of the proposed NTRU-based schemes against the primal attack under all cost models for lattice reduction.



We thank Jean-Philippe Aumasson, Paulo Barreto, Dan Bernstein, Leo Ducas, Mike Hamburg, Duhyeong Kim, Thijs Laarhoven, Vadim Lyubashevsky, Phong Nguyen and the anonymous reviewers for pointing out mistakes in earlier versions of this work.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, New York, May 1996Google Scholar
  2. 2.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd ACM STOC, pp. 601–610. ACM Press, New York, July 2001Google Scholar
  3. 3.
    Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). Scholar
  4. 4.
    Albrecht, M.R., Cid, C., Faugère, J., Perret, L.: Algebraic algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018 (2014).
  5. 5.
    Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). Scholar
  6. 6.
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). Scholar
  7. 7.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, pp. 327–343. USENIX Association (2016)Google Scholar
  9. 9.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). Scholar
  10. 10.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). Scholar
  11. 11.
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). Scholar
  12. 12.
    Bansarkhani, R.E.: Kindi. Technical report, NIST (2017)Google Scholar
  13. 13.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, New York (2016)Google Scholar
  14. 14.
    Bernstein, D.J.: Table of ciphertext and key sizes for the NIST candidate algorithms (2017).
  15. 15.
  16. 16.
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: Ntru prime. Technical report, NIST (2017)Google Scholar
  17. 17.
    Bindel, N., et al.: qTESLA. Technical report, NIST (2017)Google Scholar
  18. 18.
    Bos, J.W., et al.: Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 1006–1018. ACM Press, New York, October 2016Google Scholar
  19. 19.
    Chen, Y.: Réduction de réseau et sécurité concréte du chiffrement complétement homomorphe. Ph.D. thesis, Paris 7 (2013)Google Scholar
  20. 20.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). Scholar
  21. 21.
    Cheon, J.H., Han, K., Kim, J., Lee, C., Son, Y.: A practical post-quantum public-key cryptosystem based on \(\sf spLWE\). In: Hong, S., Park, J.H. (eds.) ICISC 2016. LNCS, vol. 10157, pp. 51–74. Springer, Cham (2017). Scholar
  22. 22.
    Cheon, J.H., et al.: Lizard. Technical report, NIST (2017)Google Scholar
  23. 23.
    Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). Scholar
  24. 24.
    D’Anvers, J., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber. Technical report, NIST (2017)Google Scholar
  25. 25.
    The FPLLL Development Team: fplll, a lattice reduction library (2017).
  26. 26.
    Ding, J., Takagi, T., Gao, X., Wang, Y.: Ding key exchange. Technical report, NIST (2017)Google Scholar
  27. 27.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–463 (1985)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Fujita, R.: Table of underlying problems of the NIST candidate algorithms (2017).
  29. 29.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 207–216. ACM Press, New York, May 2008Google Scholar
  30. 30.
    Garcia-Morchon, O., Zhang, Z., Bhattacharya, S., Rietman, R., Tolhuizen, L., Torre-Arce, J.: Round2. Technical report, NIST (2017)Google Scholar
  31. 31.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th ACM STOC, pp. 212–219. ACM Press, New York, May 1996Google Scholar
  32. 32.
    Guo, Q., Johansson, T., Mårtensson, E., Stankovski, P.: Coded-BKW with sieving. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 323–346. Springer, Cham (2017). Lecture Notes in Computer ScienceCrossRefGoogle Scholar
  33. 33.
    Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). Lecture Notes in Computer ScienceCrossRefGoogle Scholar
  34. 34.
    Hamburg, M.: Three bears. Technical report, NIST (2017)Google Scholar
  35. 35.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. Cryptology ePrint Archive, Report 2015/708 (2015).
  36. 36.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a new high speed public-key cryptosystem. Technical report, Draft distributed at CRYPTO96 (1996).
  37. 37.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). Scholar
  38. 38.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). Scholar
  39. 39.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC, pp. 193–206. ACM Press, New York, April 1983Google Scholar
  40. 40.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 415–440 (1987)Google Scholar
  41. 41.
    Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). Scholar
  42. 42.
    Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). Scholar
  43. 43.
    Laarhoven, T.: Search problems in cryptography: from fingerprinting to lattice sieving. Ph.D. thesis, Eindhoven University of Technology (2015)Google Scholar
  44. 44.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). Scholar
  45. 45.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2–3), 375–400 (2015)MathSciNetCrossRefGoogle Scholar
  46. 46.
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)MathSciNetCrossRefGoogle Scholar
  47. 47.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). Scholar
  48. 48.
    Lu, X., Liu, Y., Jia, D., Xue, H., He, J., Zhang, Z.: Lac. Technical report, NIST (2017)Google Scholar
  49. 49.
    Lyubashevsky, V., et al.: Crystals-dilithium. Technical report, NIST (2017)Google Scholar
  50. 50.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  51. 51.
    May, A., Silverman, J.H.: Dimension reduction methods for convolution modular lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001). Scholar
  52. 52.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). Scholar
  53. 53.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th SODA, pp. 276–294. ACM-SIAM, New York, January 2015Google Scholar
  54. 54.
    Moody, D.: The NIST post quantum cryptography “competition” (2017).
  55. 55.
    Naehrig, M., et al.: Frodokem. Technical report, NIST (2017)Google Scholar
  56. 56.
  57. 57.
    NIST: Submission requirements and evaluation criteria for the Post-Quantum Cryptography standardization process, December 2016.
  58. 58.
    NIST: Performance testing of the NIST candidate algorithms (2017).
  59. 59.
    Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: Lotus. Technical report, NIST (2017)Google Scholar
  60. 60.
    Poppelmann, T., et al.: Newhope. Technical report, NIST (2017)Google Scholar
  61. 61.
    Prest, T., et al.: Falcon. Technical report, NIST (2017)Google Scholar
  62. 62.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, New York, May 2005Google Scholar
  63. 63.
    Saarinen, M.O.: Hila5. Technical report, NIST (2017)Google Scholar
  64. 64.
    Schanck, J.: Practical lattice cryptosystems: NTRUEncrypt and NTRUMLS. Master’s thesis, University of Waterloo (2015)Google Scholar
  65. 65.
    Schanck, J.M., Hulsing, A., Rijneveld, J., Schwabe, P.: Ntru-hrss-kem. Technical report, NIST (2017)Google Scholar
  66. 66.
    Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  67. 67.
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). Scholar
  68. 68.
    Schwabe, P., et al.: Crystals-kyber. Technical report, NIST (2017)Google Scholar
  69. 69.
    Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.: Emblem and r.emblem. Technical report, NIST (2017)Google Scholar
  70. 70.
    Smart, N.P., et al.: Lima. Technical report, NIST (2017)Google Scholar
  71. 71.
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). Scholar
  72. 72.
    Steinfeld, R., Sakzad, A., Zhao, R.K.: Titanium. Technical report, NIST (2017)Google Scholar
  73. 73.
    Wunderer, T.: Revisiting the hybrid attack: improved analysis and refined security estimates. Cryptology ePrint Archive, Report 2016/733 (2016).
  74. 74.
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, NIST (2017)Google Scholar
  75. 75.
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: pqNTRUSign. Technical report, NIST (2017)Google Scholar
  76. 76.
    Zhao, Y., Jin, Z., Gong, B., Sui, G.: KCL (pka OKCN/AKCN/CNKE). Technical report, NIST (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Information Security GroupRoyal Holloway, University of LondonLondonUK
  2. 2.Sorbonne Université, CNRS, INRIA, Laboratoire d’Informatique de Paris 6, LIP6, Équipe PolSysParisFrance
  3. 3.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations