Cryptanalysis of Compact-LWE

  • Jonathan Bootle
  • Mehdi Tibouchi
  • Keita Xagawa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


As an invited speaker of the ACISP 2017 conference, Dongxi Liu recently introduced a new lattice-based encryption scheme (joint work with Li, Kim and Nepal) designed for lightweight IoT applications. The new scheme, which has been submitted to the NIST post-quantum competition, is based on a variant of standard LWE called Compact-LWE, but is claimed to achieve high security levels in considerably smaller dimensions than usual lattice-based schemes. In fact, the proposed parameters, allegedly suitable for 138-bit security, involve the Compact-LWE assumption in dimension only 13.

In this paper, we show that this particularly aggressive choice of parameters fails to achieve the stated security level. More precisely, we show that ciphertexts in the new encryption scheme can be decrypted using the public key alone with >99.9% probability in a fraction of a second on a standard PC. We also describe a more advanced attack which, given the public key, recovers a secret key essentially equivalent to the correct one (in the sense that it correctly decrypts ciphertexts with \(100\%\) probability as fast as legitimate decryption) in a little more than a second.

Furthermore, even setting aside parameter choices, our results show that the ways in which Compact-LWE departs from usual LWE-based encryption schemes do not appear to enhance security in any meaningful way.


Compact-LWE Lattice-based cryptography Cryptanalysis Lattice reduction IoT 


  1. [ABD16]
    Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  2. [ADPS17]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S., (eds.) USENIX Security 2016, pp. 327–343. USENIX Association (2017)Google Scholar
  3. [BCLvV16]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016).
  4. [BDK+17]
    Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS – kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017)
  5. [BTX17a]
    Bootle, J., Tibouchi, M., Xagawa. K.: Cryptanalysis of Compact-LWE. Cryptology ePrint Archive, Report 2017/742, (2017) Full version of this paper
  6. [BTX17b]
    Bootle, J., Tibouchi, M., Xagawa, K.: Cryptanalysis of new Compact-LWE. GitHub Gist source code of the ciphertext recovery attack on the NIST version, December 2017
  7. [CKLS16]
    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! practical post-quantum public-key encryption from LWE and LWR. Cryptology ePrint Archive, Report 2016/1126 (2016).
  8. [FPL16]
    The FPLLL Development Team: FPLLL, a lattice reduction library (2016).
  9. [Gal12]
    Galbraith, S.D.: Space-efficient variants of cryptosystems based on learning with errors.(2012).
  10. [HM17]
    Herold, G., May, A.: LP solutions of vectorial integer subset sums – cryptanalysis of Galbraith’s binary matrix LWE. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 3–15. Springer, Heidelberg (2017). CrossRefGoogle Scholar
  11. [KF17]
    Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). CrossRefGoogle Scholar
  12. [Liu17]
    Liu, D.: Compact-LWE for lightweight public key encryption and leveled IoT authentication. In: Pierpzyk, J., Suriadi, S. (eds.) ACISP 2017, Part I. LNCS, vol. 10342, p. 16. Springer, Heidelberg (2017)Google Scholar
  13. [LLKN17]
    Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE: Enabling practically lightweight public key encryption for leveled IoT device authentication. Cryptology ePrint Archive, Report 2017/685 (2017).
  14. [LLKN18]
    Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE (2018)Google Scholar
  15. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  16. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  17. [Pei15]
    Peikert, C.: A decade of lattice cryptography. Cryptology ePrint Archive, Report 2015/939 (2015).
  18. [Pei16]
    Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). Google Scholar
  19. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005)Google Scholar
  20. [SM17]
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.0) (2017).

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.University College LondonLondonUK
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations