A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. GΓΆpfert, C. van Vredendaal, Thomas Wunderer 29.06.2017 | 1
Motivation Primal BKW Embedding LWE Hybrid β¦ Dual Embedding Make it quantum! Faster More versatile 29.06.2017 | 2
Background and Notation 29.06.2017 | 3
Lattices π -dimensional lattice Ξ : a discrete additive subgroup of β π Basis of a lattice Ξ : lin. ind. β² π 1 πͺ = π 1 , β¦ , π π such that β² π 2 Ξ = β€π 1 + β¦ + β€π π . π 1 π 2 (good) basis πͺ Basis (bad) basis πͺ β² reduction 29.06.2017 | 4
Shortest Vector Problem (SVP) 0 Find a shortest non- zero lattice vector 29.06.2017 | 5
Closest Vector Problem (CVP) Bounded Distance Decoding (BDD) π π Given a target vector π Find (short) difference vector π 29.06.2017 | 6
Learning with Errors (LWE) . π© b e = + mod q s short short πΓπ , π β β€ π π π Given: π© β β€ π Find: π β β€ π 29.06.2017 | 7
The (Quantum) Hybrid Attack on LWE 29.06.2017 | 8
Our approach We solve the LWE instance π = π©π + π πππ π as follows: Transform LWE into SVP in some lattice Ξ 1. Generate a basis πͺ β² of Ξ of the form 2. πͺ β² = πͺ π« π π± π Solve SVP in Ξ with our Quantum Hybrid Attack 3. 29.06.2017 | 9
Transforming LWE into SVP π = π©π + π πππ π π β Ξ = π β β€ π+π+1 βΆ π© π± π β π π = π πππ π π π = 1 short 29.06.2017 | 10
The Quantum Hybrid Attack (Idea) Setup : Find a shortest non-zero vector π β Ξ πͺ β² β β€ π , where πͺ β² = πͺ π« π π± π π€ 1 π€ 1 Find π 1 β β€ πβπ with lattice-based techniques: ππ½ π πΌ π β’ Basis reduction as precomputation π€ = β Ξ β Ξ β’ BDD-algorithms (Nearest Plane [Babai86]) 0 π π½ π π π€ 2 Quantum-search for π 2 β β€ π (βGrover - likeβ) 29.06.2017 | 11
Quantum vs. Classical Hybrid Attack Quantum Classical Quantum search for π 2 Meet-in-the-middle search for π 2 + β -speed-up over brute-force + β -speed-up over brute-force + More versitile - Requires highly structured keys + Low memory consumption - Huge memory consumption + No collision-finding probability - Low collision-finding probability (might be β 2 β90 ) 29.06.2017 | 12
The Attack 29.06.2017 | 13
Find π π approach if π π is known π π π πͺπ + π«π π = πͺ π« π = = π π± π π π π π π π Lattice π³ = π³ πͺ π π π = βπͺπ π = π«π π 0 Solve BDD problem: Given π , find π π 29.06.2017 | 14
Solving BDD: Babaiβs Nearest Plane Requires sufficiently good basis π β² π ππ πͺ π ππ πͺ πβ² π¬ ( πͺ ) 29.06.2017 | 15
The Algorithm (Simplified Idea) Task : find a shortest non-zero vector in a lattice Ξ Input : a search space π β β€ π , a basis πͺ β² = πͺ π« π π± π Loop : β² β π (black box for now) β’ βQuantum - guessβ π 2 β’ Check if guess is correct: β² = ππ πͺ π«π 2 β² β’ Calculate π 1 β² π 1 β’ If π = is sufficiently short β² π 2 β’ Return π 29.06.2017 | 16
Quantum Search (simplified) β’ Let π = π‘ 1 , β¦ , π‘ π be a finite search space and πΈ = π 1 , β¦ , π π be a probability distribution on π . Let π‘ β π be a secret sampled from πΈ . Task: find it! β’ Choose a probability distribution π΅ = π 1 , β¦ , π π on π . β’ β’ There exists a quantum algorithm (generalization of Groverβs search algorithm) that finds π‘ in roughly π π΅ = π π 1 , β¦ , π π = π π π π loops (sampling from π΅ and testing). 29.06.2017 | 17
How to choose the distribution A Minimize the function π π 1 , β¦ , π π = π π β’ π π over all π 1 , β¦ , π π β 0,1 with π 1 + β― + π π = 1 . β’ Optimization with constraints in π variables ( ο Lagrange) 2/3 π π Optimal distribution a 1 , β¦ , π π with π π = β’ 2/3 π π β’ Minimal number of loops : 3/2 2/3 π πππ = π π 29.06.2017 | 18
Example (New Hope) Take π = β16, β¦ , 16 200 and πΈ to be the distribution on π given in the βNew Hopeβ key exchange scheme [ADPS16] β’ Classical brute-force search: π ππππ‘π‘ππππ β 33 200 β 2 1009 β’ Groverβs quantum search: 33 200 β 2 504 π π»π ππ€ππ β β’ Our approach: π ππ£π β 2 1.85β 200 β 2 370 29.06.2017 | 19
Results 29.06.2017 | 20
Runtime Analysis Main result: Let all notations be as before and πΈ = π 1 , β¦ , π π be the distribution from which π€ 2 is sampled. Success probability: max βπ π ,β1 πβπ 2 1 β π§ 2 πβπ β3 π π‘π£ππ β 1 β ππ§ 2 πΆ π β π β 1 , 1 π=1 2 2 β1 π π where πΆ β ,β denotes the Euler beta function, π π = 2βπ 1 β and π π is the length of the π -th Gram-Schmidt vector in πͺ . 2/3 3/2 πβπ 2 π π Number of operations if successful : T βπ§π β 2 1.06 29.06.2017 | 21
Runtime Analysis Remarks: T βπ§π depends on the guessing-dimension π and the β quality β π β’ (Hermite factor) of the basis πͺ Use precomputation (basis reduction) to change π β’ β’ Balance precomputation and actual attack costs: T π’ππ’ππ π , π = T π ππ π , π + T βπ§π π , π π π‘π£ππ π , π Non-trivial optimization process in π and π β’ β’ More details: see paper 29.06.2017 | 22
Results β’ Runtime depends on the cost of basis reduction (BKZ) How to model the SVP cost inside BKZ with block size πΎ ? β’ β’ Two (very) different ways in the literature: πππ = 2 0.27πΎ ln πΎ β1.019πΎ+16.1 T β’ Enumeration: πππ = 2 0.265πΎ+16.4 T β’ Sieving: T π ππ β πππ β #π’ππ£π π‘ β T β’ πππ β’ ο We provide two different runtime estimates β’ Compare our results with the LWE estimator (not claimed security levels!) 29.06.2017 | 23
Results: New Hope and Frodo Attack New Hope Frodo-592 Frodo-752 Frodo-864 Dual 1346 446 485 618 Decoding 833 - - - Qu. Hybrid 725 254 310 377 Table 1: BKZ with enumeration Attack New Hope Frodo-592 Frodo-752 Frodo-864 Dual 389 173 184 219 Decoding 380 - - - Qu. Hybrid 384 171 189 221 Table 2: BKZ with sieving 29.06.2017 | 24
Results: Lindner-Peikert Figure 1: BKZ with enumeration 29.06.2017 | 25
Results: Lindner-Peikert Figure 1: BKZ with enumeration 29.06.2017 | 26
Conclusion β’ New improved Quantum Hybrid Attack β’ Detailed runtime analysis of the Quantum Hybrid β’ New possibilities: apply Quantum Hybrid to non-uniform search spaces (e.g., LWE with Gaussian distribution) β’ Outperforms other attacks in several instances Thank you! Questions? 29.06.2017 | 27
Literature [HG07] N. Howgrave-Graham. A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack against NTRU . [BGPW16] J. A. Buchmann, F. GΓΆpfert, R. Player, and T. Wunderer. On the Hardness of LWE with Binary Error. [Wun16] T. Wunderer. Revisiting the Hybrid Attack: Improved Analysis and Refined Security Estimates [GvVW16] F. GΓΆpfert, C. van Vredendaal, T. Wunderer. The Quantum Hybrid Attack. [Babai86] L. Babai. On LovΓ‘sz β Lattice Reduction and the Nearest Lattice Point Problem. [Schank15] J. Schanck. Practical Lattice Cryptosystems: NTRUencrypt and NTRUmls. [Grover96] L. K. Grover. A Fast Quantum Mechanical Algorithm for Database Search. [BHMT02] G. Brassard, P. HΓΈyer, M. Mosca, A. Tapp. Quantum Amplitude Amplification and Estimation. [ADPS16] E. Alkim, L. Ducas, T. PΓΆppelmann, P. Schwabe. Post-quantum Key Exchange - A New Hope. 29.06.2017 | 28
Recommend
More recommend
