Lattice Decoding Attacks on Binary LWE

Bai, Shi; Galbraith, Steven D.

doi:10.1007/978-3-319-08344-5_21

Cited by 57 publications

(23 citation statements)

References 24 publications

(49 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However, the vector v v v = (s s s, e e e, 1) is unbalanced since ||s s s i || is not necessarily equal to ||e e e i ||. In our case, ||s s s i || < ||e e e i ||, which can be exploited by the lattice rescaling method described by Bai et al [9], and further analysed in [22]. Analogous to [4], the primal attack is successful if the projected norm of the unique shortest vector on the last b Gram-Schmidt vectors is shorter than the (d − b) th Gram-Schmidt vector, or: is generated uniformly, z will also be uniform mod q.…”

Section: Security Analysismentioning

confidence: 96%

“…Since in our case, ||s s s i || < ||e e e i ||, we observe that the w w ws s s term will be smaller than the v v ve e e term. The weighted attack [9,22] optimizes the shortest vector so that these terms have a similar variance, by considering the weighted lattice Λ = {(x x x, y y y ) ∈ Z m × (α −1 Z) n : (x x x, αy y y ) ∈ Λ mod q}.…”

Section: Security Analysismentioning

confidence: 99%

See 1 more Smart Citation

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

D’Anvers

Karmakar

Roy

et al. 2018

Progress in Cryptology – AFRICACRYPT 2018

190

126

View full text Add to dashboard Cite

In this paper, we introduce Saber, a package of cryptographic primitives whose security relies on the hardness of the Module Learning With Rounding problem (Mod-LWR). We first describe a secure Diffie-Hellman type key exchange protocol, which is then transformed into an IND-CPA encryption scheme and finally into an IND-CCA secure key encapsulation mechanism using a post-quantum version of the Fujisaki-Okamoto transform. The design goals of this package were simplicity, efficiency and flexibility resulting in the following choices: all integer moduli are powers of 2 avoiding modular reduction and rejection sampling entirely; the use of LWR halves the amount of randomness required compared to LWE-based schemes and reduces bandwidth; the module structure provides flexibility by reusing one core component for multiple security levels. A constant-time AVX2 optimized software implementation of the KEM with parameters providing more than 128 bits of post-quantum security, requires only 101K, 125K and 129K cycles for key generation, encapsulation and decapsulation respectively on a Dell laptop with an Intel i7-Haswell processor.

show abstract

Section: Security Analysismentioning

confidence: 96%

Section: Security Analysismentioning

confidence: 99%

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

D’Anvers

Karmakar

Roy

et al. 2018

Progress in Cryptology – AFRICACRYPT 2018

190

126

View full text Add to dashboard Cite

show abstract

“…Our method for solving LWE is via embedding e into a uSVP instance [Kan87,BG14] but using the success condition originally given in [ADPS16] and experimentally justified in [AGVW17]. We also use the embedding coefficient t = 1 following [ADPS16,AGVW17].…”

Section: Lwementioning

confidence: 99%

The General Sieve Kernel and New Records in Lattice Reduction

Albrecht

Ducas

Herold

et al. 2019

Advances in Cryptology – EUROCRYPT 2019

View full text Add to dashboard Cite

We propose the General Sieve Kernel (G6K, pronounced /Ze.si.ka/), an abstract stateful machine supporting a wide variety of lattice reduction strategies based on sieving algorithms. Using the basic instruction set of this abstract stateful machine, we first give concise formulations of previous sieving strategies from the literature and then propose new ones. We then also give a light variant of BKZ exploiting the features of our abstract stateful machine. This encapsulates several recent suggestions (Ducas at Eurocrypt 2018; Laarhoven and Mariano at PQCrypto 2018) to move beyond treating sieving as a blackbox SVP oracle and to utilise strong lattice reduction as preprocessing for sieving. Furthermore, we propose new tricks to minimise the sieving computation required for a given reduction quality with mechanisms such as recycling vectors between sieves, on-the-fly lifting and flexible insertions akin to Deep LLL and recent variants of Random Sampling Reduction. Moreover, we provide a highly optimised, multi-threaded and tweakable implementation of this machine which we make open-source. We then illustrate the performance of this implementation of our sieving strategies by applying G6K to various lattice challenges. In particular, our approach allows us to solve previously unsolved instances of the Darmstadt SVP (151, 153, 155) and LWE (e.g. (75, 0.005)) challenges. Our solution for the SVP-151 challenge was found 400 times faster than the time reported for the SVP-150 challenge, the previous record. For exact SVP, we observe a performance crossover between G6K and FPLLL's state of the art implementation of enumeration at dimension 70.

show abstract

“…Once α and p are chosen, we select the remaining parameters q and n in order to achieve the desired level of security for the LWE encoding scheme. To do so, we take advantage of Albrecht's estimator 7 [APS15] which, as of now, covers the following attacks: meet-in-the-middle exhaustive search, coded-BKW [GJS15], dual-lattice attack and small/sparse secret variant [Alb17], lattice reduction with enumeration [LP11], primal attack via uSVP [AFG14,BG14], Arora-Ge algorithm [AG11] using Gröbner bases [ACFP14]. Some possible choices of parameters are reported in Table 1.…”

Section: Efficiency and Concrete Parametersmentioning

confidence: 99%

Lattice-Based zk-SNARKs from Square Span Programs

Gennaro

Minelli

Nitulescu

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short and efficiently verifiable proofs. They elegantly resolve the juxtaposition of individual privacy and public trust, by providing an efficient way of demonstrating knowledge of secret information without actually revealing it. To this day, zk-SNARKs are being used for delegating computation, electronic cryptocurrencies, and anonymous credentials. However, all current SNARKs implementations rely on pre-quantum assumptions and, for this reason, are not expected to withstand cryptanalitic efforts over the next few decades. In this work, we introduce the first designated-verifier zk-SNARK based on lattice assumptions, which are believed to be post-quantum secure. We provide a generalization in the spirit of Gennaro et al. (Eurocrypt'13) to the SNARK of Danezis et al. (Asiacrypt'14) that is based on Square Span Programs (SSPs) and relies on weaker computational assumptions. We focus on designated-verifier proofs and propose a protocol in which a proof consists of just 5 LWE encodings. We provide a concrete choice of parameters as well as extensive benchmarks on a C implementation, showing that our construction is practically instantiable.

show abstract

Lattice Decoding Attacks on Binary LWE

Cited by 57 publications

References 24 publications

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

The General Sieve Kernel and New Records in Lattice Reduction

Lattice-Based zk-SNARKs from Square Span Programs

Contact Info

Product

Resources

About