Revisiting the Expected Cost of Solving uSVP and Applications to LWE

Abstract: Reducing the Learning with Errors problem (LWE) to the Unique-SVP problem and then applying lattice reduction is a commonly relied-upon strategy for estimating the cost of solving LWE-based constructions. In the literature, two different conditions are formulated under which this strategy is successful. One, widely used, going back to Gama & Nguyen\u27s work on predicting lattice reduction (Eurocrypt 2008) and the other recently outlined by Alkim et al. (USENIX 2016). Since these two estimates predict significantly different costs for solving LWE parameter sets from the literature, we revisit the Unique-SVP strategy. We present empirical evidence from lattice-reduction experiments exhibiting a behaviour in line with the latter estimate. However, we also observe that in some situations lattice-reduction behaves somewhat better than expected from Alkim et al.\u27s work and explain this behaviour under standard assumptions. Finally, we show that the security estimates of some LWE-based constructions from the literature need to be revised and give refined expected solving costs

On the Security of Lattice-Based Cryptography Against Lattice Reduction and Hybrid Attacks

Over the past decade, lattice-based cryptography has emerged as one of the most promising candidates for post-quantum public-key cryptography. For most current lattice-based schemes, one can recover the secret key by solving a corresponding instance of the unique Shortest Vector Problem (uSVP), the problem of finding a shortest non-zero vector in a lattice which is unusually short. This work is concerned with the concrete hardness of the uSVP. In particular, we study the uSVP in general as well as instances of the problem with particularly small or sparse short vectors, which are used in cryptographic constructions to increase their efficiency. We study solving the uSVP in general via lattice reduction, more precisely, the Block-wise Korkine-Zolotarev (BKZ) algorithm. In order to solve an instance of the uSVP via BKZ, the applied block size, which specifies the BKZ algorithm, needs to be sufficiently large. However, a larger block size results in higher runtimes of the algorithm. It is therefore of utmost interest to determine the minimal block size that guarantees the success of solving the uSVP via BKZ. In this thesis, we provide a theoretical and experimental validation of a success condition for BKZ when solving the uSVP which can be used to determine the minimal required block size. We further study the practical implications of using so-called sparsification techniques in combination with the above approach. With respect to uSVP instances with particularly small or sparse short vectors, we investigate so-called hybrid attacks. We first adapt the “hybrid lattice reduction and meet-in-the-middle attack” (or short: the hybrid attack) by Howgrave-Graham on the NTRU encryption scheme to the uSVP. Due to this adaption, the attack can be applied to a larger class of lattice-based cryptosystems. In addition, we enhance the runtime analysis of the attack, e.g., by an explicit calculation of the involved success probabilities. As a next step, we improve the hybrid attack in two directions as described in the following. To reflect the potential of a modern attacker on classical computers, we show how to parallelize the attack. We show that our parallel version of the hybrid attack scales well within realistic parameter ranges. Our theoretical analysis is supported by practical experiments, using our implementation of the parallel hybrid attack which employs Open Multi-Processing and the Message Passing Interface. To reflect the power of a potential future attacker who has access to a large-scale quantum computer, we develop a quantum version of the hybrid attack which replaces the classical meet-in-the-middle search by a quantum search. Not only is the quantum hybrid attack faster than its classical counterpart, but also applicable to a wider range of uSVP instances (and hence to a larger number of lattice-based schemes) as it uses a quantum search which is sensitive to the distribution on the search space. Finally, we demonstrate the practical relevance of our results by using the techniques developed in this thesis to evaluate the concrete security levels of the lattice-based schemes submitted to the US National Institute of Standards and Technology’s process of standardizing post-quantum public-key cryptography

On the Feasibility and Impact of Standardising Sparse-secret LWE Parameter Sets for Homomorphic Encryption

In November 2018, the HomomorphicEncryption.org consortium published the Homomorphic Encryption Security Standard. The Standard recommends several sets of Learning with Errors (LWE) parameters that can be selected by application developers to achieve a target security level $\lambda \in \{128,192,256\}$. These parameter sets all involve a power-of-two dimension $n \leq 2^{15}$, an error distribution of standard deviation $\sigma \approx 3.19$, and a secret whose coefficients are either chosen uniformly in $Z_q$, chosen according to the error distribution, or chosen uniformly in $\{ -1, 0, 1\}$. These parameter sets do not necessarily reflect implementation choices in the most commonly used homomorphic encryption libraries. For example, several libraries support dimensions that are not a power of two. Moreover, all known implementations for bootstrapping for the CKKS, BFV and BGV schemes use a sparse secret and a large ring dimension such as $n \in \{ 2^{16}, 2^{17} \}$, and advanced applications such as logistic regression have used equally large dimensions. This motivates the community to consider widening the recommended parameter sets, and the purpose of this paper is to investigate such possible extensions. We explore the security of possible sparse-secret LWE parameter sets, taking into account hybrid attacks, which are often the most competitive in the sparse-secret regime. We present a conservative analysis of the hybrid decoding and hybrid dual attacks for parameter sets of varying sparsity, with the goal of balancing security requirements with bootstrapping efficiency. We also show how the methodology in the Standard can be easily adapted to support parameter sets with power-of-two dimension $n \geq 2^{16}$. We conclude with a number of discussion points to motivate future improvements to the Standard

Exploring Trade-offs in Batch Bounded Distance Decoding

Algorithms for solving the Bounded Distance Decoding problem (BDD) are used for estimating the security of lattice-based cryptographic primitives, since these algorithms can be employed to solve variants of the Learning with Errors problem (LWE). In certain parameter regimes where the target vector is small and/or sparse, batches of BDD instances emerge from a combinatorial approach where several components of the target vector are guessed before decoding. In this work we explore trade-offs in solving ``Batch-BDD\u27\u27, and apply our techniques to the small-secret Learning with Errors problem. We compare our techniques to previous works which solve batches of BDD instances, such as the hybrid lattice-reduction and meet-in-the-middle attack. Our results are a mixed bag. We show that, in the ``enumeration setting\u27\u27 and with BKZ reduction, our techniques outperform a variant of the hybrid attack which does not consider time-memory trade-offs in the guessing phase for certain Round5 (17-bits out of 466), Round5-IoT (19-bits out of 240), and NTRU LPrime (23-bits out of 385) parameter sets. On the other hand, our techniques do not outperform the Hybrid Attack under standard, albeit unrealistic, assumptions. Finally, as expected, our techniques do not improve on previous works in the ``sieving setting\u27\u27 (under standard assumptions) where combinatorial attacks in general do not perform well

Estimate All the {LWE, NTRU} Schemes!

We consider all LWE- and NTRU-based encryption, key encapsulation, and digital signature schemes proposed for standardisation as part of the Post-Quantum Cryptography process run by the US National Institute of Standards and Technology (NIST). In particular, we investigate the impact that different estimates for the asymptotic runtime of (block-wise) lattice reduction have on the predicted security of these schemes. Relying on the ``LWE estimator\u27\u27 of Albrecht et al., we estimate the cost of running primal and dual lattice attacks against every LWE-based scheme, using every cost model proposed as part of a submission. Furthermore, we estimate the security of the proposed NTRU-based schemes against the primal attack under all cost models for lattice reduction

Improved Progressive BKZ with Lattice Sieving and a Two-Step Mode for Solving uSVP

The unique Shortest Vector Problem (uSVP) is one of the core hard problems in lattice-based cryptography. In NIST PQC standardization (Kyber, Dilithium), leaky-LWE-Estimator is used to estimate the hardness of LWE-based cryptosystems by reducing LWE to uSVP and considers the primal attack using Progressive BKZ (ProBKZ). ProBKZ trivially increases blocksize β and lifts the shortest vector in the final BKZ block to find the unique shortest vector in the full lattice. In this paper, we show that a ProBKZ algorithm as above (we call it a BKZ-only mode) is not the best way to solve uSVP. So we present a two-step mode to solve it, where the ProBKZ algorithm is followed by a sieving algorithm with the dimension larger than the blocksize of BKZ. While instantiating our two-step mode with the sieving algorithm Pump and Pump-and-jump BKZ (PnjBKZ) presented in G6K, which are the state-of-art sieving and BKZ implementations, we show that our algorithm is not only better than the BKZ-only mode but also better than the heuristic uSVP solving algorithm in G6K. However, a ProBKZ with the heuristic parameter selection in leaky-LWE-Estimator or the optimized parameter selection in the literature (Yoshinori Aono et al. at Asiacrypt 2016), is insufficient in optimizing the efficiency of a two-step solving algorithm. To find the best param- eters, we design a PnjBKZ simulator which allows the choice of value jump to be more than 1. Based on the newly designed simulator, we give a blocksize and jump strategy selection algorithm, which can achieve the best simulated efficiency in solving uSVP instances. Combining all the things above, we get a new lattice solving algorithm called Improved Progressive PnjBKZ (ProPnjBKZ for short). We test the efficiency of our ProPnjBKZ with the TU Darmstadt LWE Challenge. The experiment result shows that our ProPnjBKZ is 7.6∼12.9 times more efficient than the heuristic uSVP solving algorithm in G6K. Besides, we break the TU Darmstadt LWE Challenges with (n, α) ∈{(40, 0.035), (40, 0.040), (50, 0.025), (55, 0.020), (90, 0.005)}. Finally, we give a newly refined security estimator of LWE. The evaluation results indicate that the concrete hardness of the lattice-based NIST candidate schemes from LWE primal attack will decrease by 1.9∼4.2 bits when using our optimized blocksize and jump selection strategy and two-step solving mode. In addition, when using the list-decoding technology proposed by MATZOV in 2022, it further decreased by 8∼10.7 bits