Advertisement

Solving LWR via BDD Strategy: Modulus Switching Approach

  • Huy Quoc Le
  • Pradeep Kumar Mishra
  • Dung Hoang Duong
  • Masaya Yasuda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11124)

Abstract

The typical approach in attacking an LWR\(_{m,n,q,p}(\chi _s)\) instance parameterized by four integers m, n, q, p \( (q \ge p)\) and a probability distribution \(\chi _s\) is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR\(_{m,n,q,p}(\chi _s)\) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo \(q'\) instance with \(q'\) chosen appropriately instead of an LWE modulo q instance. The optimal modulus \(q'\) used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio \(\log (q)/ \log (p)\) is big or/and the dimension n is sufficiently large.

Keywords

Learning with Errors (LWE) Learning with rounding (LWR) Bounded distance decoding (BDD) strategy Modulus switching Lattice basis reduction Babai’s Nearest Plane (BNP) algorithm 

Notes

Acknowledgments

This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. This work was also supported by JSPS KAKENHI Grant Number 16H02830. We would like to thank the anonymous reviewers for their careful reading as well as very helpful comments and suggestions.

References

  1. 1.
    Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_25CrossRefGoogle Scholar
  2. 2.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). https://eprint.iacr.org/2015/046
  3. 3.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22006-7_34CrossRefGoogle Scholar
  4. 4.
    Baan, H., et al.: Round2: KEM and PKE based on GLWR. Submission to NIST proposal, Round 1 (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
  5. 5.
    Babai, L.: On lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986).  https://doi.org/10.1007/BF02579403MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_42CrossRefGoogle Scholar
  7. 7.
    Bischof, C., Buchmann, J., Dagdelen, Ö., Fitzpatrick, R., Göpfert, F., Mariano, A.: Nearest planes in practice. In: Ors, B., Preneel, B. (eds.) Cryptography and Information Security in the Balkans, pp. 203–215. Springer International Publishing, Cham (2015)CrossRefGoogle Scholar
  8. 8.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 2012, pp. 309–325. ACM, New York (2012).  https://doi.org/10.1145/2090236.2090262
  9. 9.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 575–584. ACM, New York (2013).  https://doi.org/10.1145/2488608.2488680
  10. 10.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE Computer Society, Washington (2011).  https://doi.org/10.1109/FOCS.2011.12
  11. 11.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_29CrossRefGoogle Scholar
  12. 12.
    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard public key encryption. Submission to NIST proposal, Round 1 (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
  13. 13.
    Duc, A., Tramér, F., Vaudenay, S.: Better algorithms for LWE and LWR. Cryptology ePrint Archive, Report 2015/056 (2015). https://eprint.iacr.org/2015/056
  14. 14.
    Fang, F., Li, B., Lu, X., Liu, Y., Jia, D., Xue, H.: (Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 907–912. ACM, New York (2016).  https://doi.org/10.1145/2897845.2897922
  15. 15.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_3CrossRefGoogle Scholar
  16. 16.
    Göpfert, F., van Vredendaal, C., Wunderer, T.: A hybrid lattice basis reduction and quantum search attack on LWE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 184–202. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_11CrossRefGoogle Scholar
  17. 17.
    Kudo, M., Yamaguchi, J., Guo, Y., Yasuda, M.: Practical analysis of key recovery attack against search-LWE problem. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 164–181. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-44524-3_10CrossRefGoogle Scholar
  18. 18.
    Laine, K., Lauter, K.: Key recovery for LWE in polynomial time. Cryptology ePrint Archive, Report 2015/176 (2015). https://eprint.iacr.org/2015/176
  19. 19.
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19074-2_21CrossRefGoogle Scholar
  21. 21.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-540-88702-7_5CrossRefzbMATHGoogle Scholar
  22. 22.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009).  https://doi.org/10.1145/1568318.1568324MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994).  https://doi.org/10.1007/BF01581144MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Stein, W., et al.: Sage Mathematics Software (Version 8.1). The Sage Development Team (2018). http://www.sagemath.org

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Huy Quoc Le
    • 1
  • Pradeep Kumar Mishra
    • 1
  • Dung Hoang Duong
    • 2
  • Masaya Yasuda
    • 3
    • 4
  1. 1.Graduate School of MathematicsKyushu UniversityFukuoka-shiJapan
  2. 2.School of Computing and Information TechnologyUniversity of WollongongWollongongAustralia
  3. 3.Institute of Mathematics for IndustryKyushu UniversityFukuoka-shiJapan
  4. 4.JST, CRESTKawaguchiJapan

Personalised recommendations