Cryptanalysis of Compact-LWE
As an invited speaker of the ACISP 2017 conference, Dongxi Liu recently introduced a new lattice-based encryption scheme (joint work with Li, Kim and Nepal) designed for lightweight IoT applications. The new scheme, which has been submitted to the NIST post-quantum competition, is based on a variant of standard LWE called Compact-LWE, but is claimed to achieve high security levels in considerably smaller dimensions than usual lattice-based schemes. In fact, the proposed parameters, allegedly suitable for 138-bit security, involve the Compact-LWE assumption in dimension only 13.
In this paper, we show that this particularly aggressive choice of parameters fails to achieve the stated security level. More precisely, we show that ciphertexts in the new encryption scheme can be decrypted using the public key alone with >99.9% probability in a fraction of a second on a standard PC. We also describe a more advanced attack which, given the public key, recovers a secret key essentially equivalent to the correct one (in the sense that it correctly decrypts ciphertexts with \(100\%\) probability as fast as legitimate decryption) in a little more than a second.
Furthermore, even setting aside parameter choices, our results show that the ways in which Compact-LWE departs from usual LWE-based encryption schemes do not appear to enhance security in any meaningful way.
KeywordsCompact-LWE Lattice-based cryptography Cryptanalysis Lattice reduction IoT
- [ADPS17]Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S., (eds.) USENIX Security 2016, pp. 327–343. USENIX Association (2017)Google Scholar
- [BCLvV16]Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016). http://eprint.iacr.org/2016/461
- [BDK+17]Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS – kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017) http://eprint.iacr.org/2017/634
- [BTX17a]Bootle, J., Tibouchi, M., Xagawa. K.: Cryptanalysis of Compact-LWE. Cryptology ePrint Archive, Report 2017/742, (2017) http://eprint.iacr.org/2017/742. Full version of this paper
- [BTX17b]Bootle, J., Tibouchi, M., Xagawa, K.: Cryptanalysis of new Compact-LWE. GitHub Gist source code of the ciphertext recovery attack on the NIST version, December 2017 https://gist.github.com/xagawa/ee91d51a56bda5292235e52640f57707
- [CKLS16]Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! practical post-quantum public-key encryption from LWE and LWR. Cryptology ePrint Archive, Report 2016/1126 (2016). http://eprint.iacr.org/2016/1126
- [FPL16]The FPLLL Development Team: FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
- [Gal12]Galbraith, S.D.: Space-efficient variants of cryptosystems based on learning with errors.(2012). https://www.math.auckland.ac.nz/~sgal018/compact-LWE.pdf
- [Liu17]Liu, D.: Compact-LWE for lightweight public key encryption and leveled IoT authentication. In: Pierpzyk, J., Suriadi, S. (eds.) ACISP 2017, Part I. LNCS, vol. 10342, p. 16. Springer, Heidelberg (2017)Google Scholar
- [LLKN17]Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE: Enabling practically lightweight public key encryption for leveled IoT device authentication. Cryptology ePrint Archive, Report 2017/685 (2017). http://eprint.iacr.org/2017/685
- [LLKN18]Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE (2018)Google Scholar
- [Pei15]Peikert, C.: A decade of lattice cryptography. Cryptology ePrint Archive, Report 2015/939 (2015). http://eprint.iacr.org/2015/939
- [Reg05]Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005)Google Scholar
- [SM17]The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.0) (2017). https://www.sagemath.org