Skip to main content
SpringerLink
Log in

Estimate All the {LWE, NTRU} Schemes!

  • Conference paper
  • First Online:
Security and Cryptography for Networks (SCN 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11035))

Included in the following conference series:

Abstract

We consider all LWE- and NTRU-based encryption, key encapsulation, and digital signature schemes proposed for standardisation as part of the Post-Quantum Cryptography process run by the US National Institute of Standards and Technology (NIST). In particular, we investigate the impact that different estimates for the asymptotic runtime of (block-wise) lattice reduction have on the predicted security of these schemes. Relying on the “LWE estimator” of Albrecht et al., we estimate the cost of running primal and dual lattice attacks against every LWE-based scheme, using every cost model proposed as part of a submission. Furthermore, we estimate the security of the proposed NTRU-based schemes against the primal attack under all cost models for lattice reduction.

T. Wunderer—The research of Albrecht was supported by EPSRC grant “Bit Security of Learning with Errors for Post-Quantum Cryptography and Fully Homomorphic Encryption” (EP/P009417/1) and by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701). The research of Curtis, Deo and Davidson was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1). The research of Player was partially supported by the French Programme d’Investissement d’Avenir under national project RISQ P141580. The research of Postlethwaite and Virdia was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/P009301/1). The research of Wunderer was supported by the DFG as part of project P1 within the CRC 1119 CROSSING.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    BKW-style algorithms do outperform BKZ in the enumeration regime for some medium-sized parameter sets. However, similarly to BKZ in the sieving regime, BKW requires \(2^{\varTheta (n)}\) memory.

  2. 2.

    https://bitbucket.org/malb/lwe-estimator, commit 1850100.

  3. 3.

    Any discrepancies in value from those cited in [15] are due to rounding introduced to the estimator output since.

References

  1. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, New York, May 1996

    Google Scholar 

  2. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd ACM STOC, pp. 601–610. ACM Press, New York, July 2001

    Google Scholar 

  3. Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_4

    Chapter  Google Scholar 

  4. Albrecht, M.R., Cid, C., Faugère, J., Perret, L.: Algebraic algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018 (2014). http://eprint.iacr.org/2014/1018

  5. Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_25

    Chapter  Google Scholar 

  6. Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11

    Chapter  Google Scholar 

  7. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    Article  MathSciNet  Google Scholar 

  8. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, pp. 327–343. USENIX Association (2016)

    Google Scholar 

  9. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35

    Chapter  Google Scholar 

  10. Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34

    Chapter  Google Scholar 

  11. Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_21

    Chapter  Google Scholar 

  12. Bansarkhani, R.E.: Kindi. Technical report, NIST (2017)

    Google Scholar 

  13. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, New York (2016)

    Google Scholar 

  14. Bernstein, D.J.: Table of ciphertext and key sizes for the NIST candidate algorithms (2017). https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/1lDNio0sKq4/xjqy4K6SAgAJ

  15. Bernstein, D.J.: Comment on PQC forum (2018). https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/h4_LCVNejCI/FyV5hgnqBAAJ

  16. Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: Ntru prime. Technical report, NIST (2017)

    Google Scholar 

  17. Bindel, N., et al.: qTESLA. Technical report, NIST (2017)

    Google Scholar 

  18. Bos, J.W., et al.: Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 1006–1018. ACM Press, New York, October 2016

    Google Scholar 

  19. Chen, Y.: Réduction de réseau et sécurité concréte du chiffrement complétement homomorphe. Ph.D. thesis, Paris 7 (2013)

    Google Scholar 

  20. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    Chapter  Google Scholar 

  21. Cheon, J.H., Han, K., Kim, J., Lee, C., Son, Y.: A practical post-quantum public-key cryptosystem based on \(\sf spLWE\). In: Hong, S., Park, J.H. (eds.) ICISC 2016. LNCS, vol. 10157, pp. 51–74. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-53177-9_3

    Chapter  Google Scholar 

  22. Cheon, J.H., et al.: Lizard. Technical report, NIST (2017)

    Google Scholar 

  23. Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_5

    Chapter  Google Scholar 

  24. D’Anvers, J., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber. Technical report, NIST (2017)

    Google Scholar 

  25. The FPLLL Development Team: fplll, a lattice reduction library (2017). https://github.com/fplll/fplll

  26. Ding, J., Takagi, T., Gao, X., Wang, Y.: Ding key exchange. Technical report, NIST (2017)

    Google Scholar 

  27. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–463 (1985)

    Article  MathSciNet  Google Scholar 

  28. Fujita, R.: Table of underlying problems of the NIST candidate algorithms (2017). https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/1lDNio0sKq4/7zXvtfdZBQAJ

  29. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 207–216. ACM Press, New York, May 2008

    Google Scholar 

  30. Garcia-Morchon, O., Zhang, Z., Bhattacharya, S., Rietman, R., Tolhuizen, L., Torre-Arce, J.: Round2. Technical report, NIST (2017)

    Google Scholar 

  31. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th ACM STOC, pp. 212–219. ACM Press, New York, May 1996

    Google Scholar 

  32. Guo, Q., Johansson, T., Mårtensson, E., Stankovski, P.: Coded-BKW with sieving. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 323–346. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_12. Lecture Notes in Computer Science

    Chapter  Google Scholar 

  33. Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_2. Lecture Notes in Computer Science

    Chapter  Google Scholar 

  34. Hamburg, M.: Three bears. Technical report, NIST (2017)

    Google Scholar 

  35. Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. Cryptology ePrint Archive, Report 2015/708 (2015). http://eprint.iacr.org/2015/708

  36. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a new high speed public-key cryptosystem. Technical report, Draft distributed at CRYPTO96 (1996). https://cdn2.hubspot.net/hubfs/49125/downloads/ntru-orig.pdf

  37. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    Chapter  Google Scholar 

  38. Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9

    Chapter  MATH  Google Scholar 

  39. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC, pp. 193–206. ACM Press, New York, April 1983

    Google Scholar 

  40. Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 415–440 (1987)

    Google Scholar 

  41. Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_3

    Chapter  Google Scholar 

  42. Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1

    Chapter  Google Scholar 

  43. Laarhoven, T.: Search problems in cryptography: from fingerprinting to lattice sieving. Ph.D. thesis, Eindhoven University of Technology (2015)

    Google Scholar 

  44. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1

    Chapter  MATH  Google Scholar 

  45. Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2–3), 375–400 (2015)

    Article  MathSciNet  Google Scholar 

  46. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)

    Article  MathSciNet  Google Scholar 

  47. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21

    Chapter  Google Scholar 

  48. Lu, X., Liu, Y., Jia, D., Xue, H., He, J., Zhang, Z.: Lac. Technical report, NIST (2017)

    Google Scholar 

  49. Lyubashevsky, V., et al.: Crystals-dilithium. Technical report, NIST (2017)

    Google Scholar 

  50. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  51. May, A., Silverman, J.H.: Dimension reduction methods for convolution modular lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_10

    Chapter  MATH  Google Scholar 

  52. Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5

    Chapter  MATH  Google Scholar 

  53. Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th SODA, pp. 276–294. ACM-SIAM, New York, January 2015

    Google Scholar 

  54. Moody, D.: The NIST post quantum cryptography “competition” (2017). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/asiacrypt-2017-moody-pqc.pdf

  55. Naehrig, M., et al.: Frodokem. Technical report, NIST (2017)

    Google Scholar 

  56. Nguyen, P.: Comment on PQC forum (2018). https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/nZBIBvYmmUI

  57. NIST: Submission requirements and evaluation criteria for the Post-Quantum Cryptography standardization process, December 2016. http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/call-for-proposals-final-dec-2016.pdf

  58. NIST: Performance testing of the NIST candidate algorithms (2017). https://drive.google.com/file/d/1g-l0bPa-tReBD0Frgnz9aZXpO06PunUa/view

  59. Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: Lotus. Technical report, NIST (2017)

    Google Scholar 

  60. Poppelmann, T., et al.: Newhope. Technical report, NIST (2017)

    Google Scholar 

  61. Prest, T., et al.: Falcon. Technical report, NIST (2017)

    Google Scholar 

  62. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, New York, May 2005

    Google Scholar 

  63. Saarinen, M.O.: Hila5. Technical report, NIST (2017)

    Google Scholar 

  64. Schanck, J.: Practical lattice cryptosystems: NTRUEncrypt and NTRUMLS. Master’s thesis, University of Waterloo (2015)

    Google Scholar 

  65. Schanck, J.M., Hulsing, A., Rijneveld, J., Schwabe, P.: Ntru-hrss-kem. Technical report, NIST (2017)

    Google Scholar 

  66. Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    Article  MathSciNet  Google Scholar 

  67. Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14

    Chapter  Google Scholar 

  68. Schwabe, P., et al.: Crystals-kyber. Technical report, NIST (2017)

    Google Scholar 

  69. Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.: Emblem and r.emblem. Technical report, NIST (2017)

    Google Scholar 

  70. Smart, N.P., et al.: Lima. Technical report, NIST (2017)

    Google Scholar 

  71. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    Chapter  Google Scholar 

  72. Steinfeld, R., Sakzad, A., Zhao, R.K.: Titanium. Technical report, NIST (2017)

    Google Scholar 

  73. Wunderer, T.: Revisiting the hybrid attack: improved analysis and refined security estimates. Cryptology ePrint Archive, Report 2016/733 (2016). http://eprint.iacr.org/2016/733

  74. Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, NIST (2017)

    Google Scholar 

  75. Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: pqNTRUSign. Technical report, NIST (2017)

    Google Scholar 

  76. Zhao, Y., Jin, Z., Gong, B., Sui, G.: KCL (pka OKCN/AKCN/CNKE). Technical report, NIST (2017)

    Google Scholar 

Download references

Acknowledgements

We thank Jean-Philippe Aumasson, Paulo Barreto, Dan Bernstein, Leo Ducas, Mike Hamburg, Duhyeong Kim, Thijs Laarhoven, Vadim Lyubashevsky, Phong Nguyen and the anonymous reviewers for pointing out mistakes in earlier versions of this work.

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, London, UK

    Martin R. Albrecht, Benjamin R. Curtis, Amit Deo, Alex Davidson, Rachel Player, Eamonn W. Postlethwaite & Fernando Virdia

  2. Sorbonne Université, CNRS, INRIA, Laboratoire d’Informatique de Paris 6, LIP6, Équipe PolSys, Paris, France

    Rachel Player

  3. Technische Universität Darmstadt, Darmstadt, Germany

    Thomas Wunderer

Authors
  1. Martin R. Albrecht
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin R. Curtis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Amit Deo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alex Davidson
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rachel Player
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Eamonn W. Postlethwaite
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Fernando Virdia
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Thomas Wunderer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Benjamin R. Curtis , Fernando Virdia or Thomas Wunderer .

Editor information

Editors and Affiliations

  1. University of Catania, Catania, Italy

    Dario Catalano

  2. University of Salerno, Fisciano, Italy

    Roberto De Prisco

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Albrecht, M.R. et al. (2018). Estimate All the {LWE, NTRU} Schemes!. In: Catalano, D., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2018. Lecture Notes in Computer Science(), vol 11035. Springer, Cham. https://doi.org/10.1007/978-3-319-98113-0_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-98113-0_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-98112-3

  • Online ISBN: 978-3-319-98113-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation