Abstract
The typical approach in attacking an LWR\(_{m,n,q,p}(\chi _s)\) instance parameterized by four integers m, n, q, p \( (q \ge p)\) and a probability distribution \(\chi _s\) is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR\(_{m,n,q,p}(\chi _s)\) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo \(q'\) instance with \(q'\) chosen appropriately instead of an LWE modulo q instance. The optimal modulus \(q'\) used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio \(\log (q)/ \log (p)\) is big or/and the dimension n is sufficiently large.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
BKZ of blocksize 20 is usually used in practice because of its time/quality trade-off property.
- 2.
- 3.
It is easy to check that the function \(x\ln (x)\) is concave over \((0, +\infty )\).
References
Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_25
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). https://eprint.iacr.org/2015/046
Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34
Baan, H., et al.: Round2: KEM and PKE based on GLWR. Submission to NIST proposal, Round 1 (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
Babai, L.: On lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986). https://doi.org/10.1007/BF02579403
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Bischof, C., Buchmann, J., Dagdelen, Ö., Fitzpatrick, R., Göpfert, F., Mariano, A.: Nearest planes in practice. In: Ors, B., Preneel, B. (eds.) Cryptography and Information Security in the Balkans, pp. 203–215. Springer International Publishing, Cham (2015)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 2012, pp. 309–325. ACM, New York (2012). https://doi.org/10.1145/2090236.2090262
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 575–584. ACM, New York (2013). https://doi.org/10.1145/2488608.2488680
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE Computer Society, Washington (2011). https://doi.org/10.1109/FOCS.2011.12
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard public key encryption. Submission to NIST proposal, Round 1 (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
Duc, A., Tramér, F., Vaudenay, S.: Better algorithms for LWE and LWR. Cryptology ePrint Archive, Report 2015/056 (2015). https://eprint.iacr.org/2015/056
Fang, F., Li, B., Lu, X., Liu, Y., Jia, D., Xue, H.: (Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 907–912. ACM, New York (2016). https://doi.org/10.1145/2897845.2897922
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3
Göpfert, F., van Vredendaal, C., Wunderer, T.: A hybrid lattice basis reduction and quantum search attack on LWE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 184–202. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_11
Kudo, M., Yamaguchi, J., Guo, Y., Yasuda, M.: Practical analysis of key recovery attack against search-LWE problem. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 164–181. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44524-3_10
Laine, K., Lauter, K.: Key recovery for LWE in polynomial time. Cryptology ePrint Archive, Report 2015/176 (2015). https://eprint.iacr.org/2015/176
Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009). https://doi.org/10.1145/1568318.1568324
Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994). https://doi.org/10.1007/BF01581144
Stein, W., et al.: Sage Mathematics Software (Version 8.1). The Sage Development Team (2018). http://www.sagemath.org
Acknowledgments
This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. This work was also supported by JSPS KAKENHI Grant Number 16H02830. We would like to thank the anonymous reviewers for their careful reading as well as very helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Le, H.Q., Mishra, P.K., Duong, D.H., Yasuda, M. (2018). Solving LWR via BDD Strategy: Modulus Switching Approach. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-00434-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00433-0
Online ISBN: 978-3-030-00434-7
eBook Packages: Computer ScienceComputer Science (R0)