Skip to main content
SpringerLink
Log in

Quantum Key Search for Ternary LWE

  • Conference paper
  • First Online:
Post-Quantum Cryptography (PQCrypto 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12841))

Included in the following conference series:

Abstract

Ternary LWE, i.e., LWE with coefficients of the secret and the error vectors taken from \(\{-1, 0, 1\}\), is a popular choice among NTRU-type cryptosystems and some signatures schemes like BLISS and GLP.

In this work we consider quantum combinatorial attacks on ternary LWE. Our algorithms are based on the quantum walk framework of Magniez-Nayak-Roland-Santha. At the heart of our algorithms is a combinatorial tool called the representation technique that appears in algorithms for the subset sum problem. This technique can also be applied to ternary LWE resulting in faster attacks. The focus of this work is quantum speed-ups for such representation-based attacks on LWE.

When expressed in terms of the search space \(\mathcal {S}\) for LWE keys, the asymptotic complexity of the representation attack drops from \(\mathcal {S}^{0.24}\) (classical) down to \(\mathcal {S}^{0.19}\) (quantum). This translates into noticeable attack’s speed-ups for concrete NTRU instantiations like NTRU-HRSS [CHES’17] and NTRU Prime [SAC’17].

Our algorithms do not undermine current security claims for NTRU or other ternary LWE based schemes, yet they can lay ground for improvements of the combinatorial subroutines inside hybrid attacks on LWE.

I. van Hoof and A. May—Funded by DFG under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.

E. Kirshanova—Supported by the “5-100” Russian academic excellence project and the “Young Russian Mathematics” grant.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    By ‘combinatorial’ here we exclude BKW-like algorithms [KF15, GJS15], since these apply only to LWE with \(m \gg n\), which is not the case for NTRU-type schemes.

References

  1. Albrecht, M.R., Curtis, B.R., Deo, A., Davidson, A., Player, R., Postlethwaite, E.W., Virdia, F., Wunderer, T.: Estimate All the LWE, NTRU Schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19

    Chapter  Google Scholar 

  2. Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007)

    Article  MathSciNet  Google Scholar 

  3. Bonnetain, X., Bricout, R., Schrottenloher, A., Shen, Y.: improved classical and quantum algorithms for subset-sum. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 633–666. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_22

    Chapter  Google Scholar 

  4. Becker, A., Coron, J.-S., Joux, A.: Improved generic algorithms for hard knapsacks. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 364–385. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_21

    Chapter  Google Scholar 

  5. Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12

    Chapter  Google Scholar 

  6. Buhrman, H., et al.: Quantum algorithms for element distinctness. SIAM J. Comput. 34(6), 1324–1330 (2005)

    Article  MathSciNet  Google Scholar 

  7. Bos, W.J., et al.: Crystals - kyber: a CCA-secure module-lattice-based kem. In: EuroS&P, pp. 353–367 (2018)

    Google Scholar 

  8. Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_21

    Chapter  Google Scholar 

  9. Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Quantum Comput. Inf. 305, 53–74 (2002). https://doi.org/10.1090/conm/305

    Article  MathSciNet  MATH  Google Scholar 

  10. Bernstein, D.J., Jeffery, S., Lange, T., Meurer, A.: Quantum algorithms for the subset-sum problem. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 16–33. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_2

    Chapter  Google Scholar 

  11. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC. ACM Press, pp. 575–584 (2013)

    Google Scholar 

  12. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice Signatures and Bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3

    Chapter  Google Scholar 

  13. Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_2

    Chapter  Google Scholar 

  14. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31

    Chapter  MATH  Google Scholar 

  15. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th ACM STOC, pp. 212–219. ACM Press (1996)

    Google Scholar 

  16. Howgrave-Graham, N., Silverman, J.H., Whyte, W.: A meet-in-the-middle attack on an NTRU private key, Technical report, NTRU Cryptosystems, June 2003. Report (2003)

    Google Scholar 

  17. Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_12

    Chapter  Google Scholar 

  18. Helm, A., May, A.: Subset sum quantumly in \(1.17^n\) .In: 13th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2018), Leibniz International Proceedings in Informatics (LIPIcs), vol. 111, Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, pp. 5:1–5:15 (2018)

    Google Scholar 

  19. Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9

    Chapter  MATH  Google Scholar 

  20. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) International Algorithmic Number Theory Symposium, Springer, vol. 1423, pp. 267–288. Springer, Berlin, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    Chapter  Google Scholar 

  21. Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_12

    Chapter  Google Scholar 

  22. Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_3

    Chapter  Google Scholar 

  23. Kachigar, G., Tillich, J.-P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 69–89. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_5

    Chapter  MATH  Google Scholar 

  24. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  25. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43

    Chapter  Google Scholar 

  26. May, A.: How to meet ternary lwe keys, Cryptology ePrint Archive, Report 2021/216 (2021). https://eprint.iacr.org/2021/216

  27. Magniez, F., Nayak, A., Roland, J., Santha, M.: Search via quantum walk. SIAM J. Comput. 40(1), 142–164 (2011)

    Article  MathSciNet  Google Scholar 

  28. Nivasch, G.: Cycle detection using a stack. Inf. Process. Lett. 90, 135–140 (2004)

    Article  MathSciNet  Google Scholar 

  29. Prest, T., et al.: Falcon, Technical report, National Institute of Standards and Technology (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions

  30. Pollard, J.M.: A Monte Carlo method for factorization. BIT Numer. Math. 15, 331–334 (1975)

    Article  MathSciNet  Google Scholar 

  31. Regev, O.: New lattice based cryptographic constructions. In: 35th ACM STOC, pp. 407–416. ACM Press (2003)

    Google Scholar 

  32. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    Chapter  Google Scholar 

  33. Tani, S.: In improved claw finding algorithm using quantum walk. Math. Found. Comput. Sci. 2007, 536–547 (2007)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Ruhr University Bochum, Bochum, Germany

    Iggy van Hoof, Elena Kirshanova & Alexander May

  2. Immanuel Kant Baltic Federal University, Kaliningrad, Russia

    Elena Kirshanova

Authors
  1. Iggy van Hoof
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elena Kirshanova
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alexander May
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elena Kirshanova .

Editor information

Editors and Affiliations

  1. Seoul National University, Seoul, Korea (Republic of)

    Jung Hee Cheon

  2. Inria, Paris, France

    Jean-Pierre Tillich

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

van Hoof, I., Kirshanova, E., May, A. (2021). Quantum Key Search for Ternary LWE. In: Cheon, J.H., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2021. Lecture Notes in Computer Science(), vol 12841. Springer, Cham. https://doi.org/10.1007/978-3-030-81293-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81293-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81292-8

  • Online ISBN: 978-3-030-81293-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation