Abstract
A famous reduction by Regev shows that random instances of the Learning With Errors (LWE) problem are asymptotically at least as hard as a worst-case lattice problem. As such, by assuming that standard lattice problems are hard to solve, the asymptotic security of cryptosystems based on the LWE problem is guaranteed. However, it has not been clear to which extent, if any, this reduction provides support for the security of present concrete parametrizations.
In this work we therefore use Regev’s reduction to parametrize a cryptosystem, providing a reference as to what parameters are required to actually claim security from this reduction. This requires us to account for the concrete performance of this reduction, allowing the first parametrization of a cryptosystem that is provably secure based only on a conservative hardness estimate for a standard lattice problem. Even though we attempt to optimize the reduction, our system still requires significantly larger parameters than typical LWE-based cryptosystems, highlighting the significant gap between parameters that are used in practice and those for which worst-case reductions actually are applicable.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
That the LWE oracle provided to Regev’s reduction will require many LWE samples was also noticed in a paper by Koblitz et al. [10] that analyzed a similar reduction for ring-LWE.
References
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(1), 625–635 (1993). https://doi.org/10.1007/BF01445125
Chailloux, A., Loyer, J.: Lattice sieving via quantum random walks. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 63–91. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_3
Chatterjee, S., Koblitz, N., Menezes, A., Sarkar, P.: Another look at tightness II: practical issues in cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 21–55. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61273-7_3
Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Université Paris Diderot (2013). http://www.theses.fr/2013PA077242. 2013PA077242
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1
Gates, F.: Reduction-Respecting Parameters for Lattice-Based Cryptosystems. Master’s thesis, McMaster University (2018)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Koblitz, N., Samajder, S., Sarkar, P., Singha, S.: Concrete analysis of approximate ideal-SIVP to decision ring-LWE reduction. Adv. Math. Commun. (2022). https://doi.org/10.3934/amc.2022082
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Annual Symposium on Foundations of Computer Science, pp. 372–381. IEEE Computer Society Press, Rome (2004). https://doi.org/10.1109/FOCS.2004.72
Micciancio, D., Regev, O.: Lattice-based Cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Pekert, C.: What does GCHQ’S “cautionary tale” mean for lattice cryptography?. https://web.eecs.umich.edu/~cpeikert/soliloquy.html
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 84–93. STOC 2005, Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1060590.1060603
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). https://doi.org/10.1145/1568318.1568324
Rogers, C.A.: The number of lattice points in a set. In: Proceedings of the London Mathematical Society, vol. s3–6(2), pp. 305–320 (1956). https://doi.org/10.1112/plms/s3-6.2.305
Sarkar, P., Singha, S.: Verifying solutions to LWE with implications for concrete security. Adv. Math. Commun. 15(2), 257–266 (2021). https://doi.org/10.3934/amc.2020057
Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994). https://doi.org/10.1007/BF01581144
Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
Södergren, A.: On the Poisson distribution of lengths of lattice vectors in a random lattice. Math. Z. 269(3–4), 945–954 (2011). https://doi.org/10.1007/s00209-010-0772-8
Acknowledgments
This research has been supported in part by the Swedish Armed Forces and was conducted at KTH Center for Cyber Defense and Information Security (CDIS). The author would like to thank Johan Håstad for his helpful input.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A More Parametrizations
A More Parametrizations
In Table 2 we include some additional, more efficient, parametrizations of our cryptosystem that are supported by a more detailed analysis of the same reductions used for the parametrizations in Table 1. This more detailed analysis is included in an extended version of this work and keeps track of the reduction failure probability. As we can accept a small but noticeable reduction failure probability, this allows more efficient parametrizations. This is mainly thanks to letting us consider the smoothing parameter \(\eta _{\varepsilon }(L)\) for \(\varepsilon > 2^{-n}\), allowing us to solve \(\text {SIVP}_{\gamma _R}\) with an approximation factor \(\gamma _R\) that is smaller than \(\sqrt{2} nq\).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gärtner, J. (2023). Concrete Security from Worst-Case to Average-Case Lattice Reductions. In: El Mrabet, N., De Feo, L., Duquesne, S. (eds) Progress in Cryptology - AFRICACRYPT 2023. AFRICACRYPT 2023. Lecture Notes in Computer Science, vol 14064. Springer, Cham. https://doi.org/10.1007/978-3-031-37679-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-37679-5_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37678-8
Online ISBN: 978-3-031-37679-5
eBook Packages: Computer ScienceComputer Science (R0)