On dual lattice attacks against small-secret LWE and parameter - PowerPoint PPT Presentation

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin R. Albrecht Information Security Group, Royal Holloway, University of London

Learning with Errors or 1 Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In: 37th e A n The Learning with Errors (LWE) problem was defined by Oded Regev. 1 c ACM STOC . ed. by Harold N. Gabow and Ronald Fagin. ACM Press, May 2005, pp. 84–93. q q Given ( A , c ) with uniform A ∈ Z m × n , uniform s ∈ Z n q and small e ∈ Z m ( ) is c ← $ U Z m       ← →                                 = ·  + .          s                              

FHE-schemes based on LWE BGV Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS 2012 . Ed. by Shafi Goldwasser. ACM, Jan. 2012, pp. 309–325, implemented HELib FV Junfeng Fan and Frederik Vercauteren. Somewhat Practical Fully Homomorphic Encryption. Cryptology ePrint Archive, Report 2012/144. http://eprint.iacr.org/2012/144 . 2012, implemented in SEAL v2

Small Secrets all remaining entries are 0, regardless of dimension n . How many bits of security does this cost? • HElib typically chooses s such that w = 64 entries are ± 1 and • SEAL chooses s i ← $ {− 1 , 0 , 1 } .

Hardness: Reductions v Constructions “A major part of our reduction […] is therefore dedicated to showing reduction from LWE (in dimension n) with arbitrary “This brings up the question of whether one can get better attacks against LWE instances with a very sparse secret (much smaller than even the noise). […] it seems that the modulus/noise ratio.” 3 2 Zvika Brakerski et al. Classical hardness of learning with errors. In: 45th ACM STOC . ed. by Dan Boneh, Tim Roughgarden, and Joan Feigenbaum. ACM Press, June 2013, pp. 575–584. 3 Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic Evaluation of the AES Circuit. Cryptology ePrint Archive, Report 2012/099. http://eprint.iacr.org/2012/099 . 2012. q to LWE (in dimension n log 2 q) with a secret secret in Z n chosen uniformly over { 0 , 1 } .” 2 very sparse secret should only add maybe one bit to the

Lattice Attacks Primal Attack solve Bounded Distance Decoding problem (BDD), i.e. using • uSVP embedding or • Babai’s nearest planes resp. enumeration. Dual Attack solve Short Integer Solutions problem (SIS) in the left kernel of A , i.e. find s ′ s.t. ∥ w − c ∥ is minimised, with w = A · s ′ find a short w such that w · A = 0 and check if ⟨ w , c ⟩ = w · ( A · s + e ) = ⟨ w , e ⟩ is short.

Dual Attack A reduced lattice basis contains short vectors. In particular, the first 1. Construct a basis of the dual lattice from A . 2. Run lattice reduction algorithm to obtain short vectors v i . 4 Daniele Micciancio and Oded Regev. Lattice-based Cryptography. In: Post-Quantum Cryptography . Ed. by Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen. Berlin, Heidelberg, New York: Springer, Heidelberg, 2009, pp. 147–191. 0 · q n / m . vector is short: ∥ v ∥ ≈ δ m 3. Check if ⟨ v i , c ⟩ are small. 4

1. Amortising Costs

Dual Attack: Trade-off 60 5 Richard Lindner and Chris Peikert. Better Key Sizes (and Attacks) for LWE-Based Encryption. In: 400 350 300 250 50 40 30 20 10 0 CT-RSA 2011 . Ed. by Aggelos Kiayias. Vol. 6558. LNCS. Springer, Heidelberg, Feb. 2011, pp. 319–339. Given an LWE instance characterised by n , α , q and a vector v of length ∥ v ∥ such that v · A ≡ 0 (mod q ) , the advantage ε of distinguishing ⟨ v , c ⟩ from random is close to 5 exp( − π ( ∥ v ∥ · α ) 2 ) . log 2 ( BKZ cost ) ε = 1 / 2 i

Amplifying Advantage 40 400 350 60 50 30 20 10 0 majority vote. To achieve constant advantage, repeat experiment ≈ 1 /ε 2 times for ) 2 2 i · BKZ cost ( log 2 ε = 1 / 2 i

Just do it™

Amortising Costs 3. Repeat: Avoiding 1 /ε 2 calls to BKZ in block size β . 1. L ← basis for { y ∈ Z m : y · A ≡ 0 mod q } 2. R ← BKZ- β reduced basis for L 3.1 U ← $ a sparse unimodular matrix with small entries 3.2 R i ← BKZ- β ′ reduced basis for U · R 3.3 y i ← shortest row vector in R i 3.4 w i ← ⟨ y i , c ⟩ 4. Decide if w i is uniform or not. We give empirical evidence that the quality of R i isn’t “too bad”: for β ′ = 2, they are < 2 · δ m 0 · q n / m with δ 0 for BKZ- β .

2. Scaling

Scaling for Dual Attack • Consider the normal form of the dual attack on LWE • We do not need to find v · A ≡ 0 mod q , but any short v such that v · A = w is short suffices. Λ( A ) = { ( x , y ) ∈ Z m × Z n : x · A ≡ y mod q } • Given a short vector ( v , w ) ∈ Λ( A ) compute ⟨ v , c ⟩ = v · ( A · s + e ) = ⟨ w , s ⟩ + ⟨ v , e ⟩

Scaling for Dual Attack • Scale the lattice 6 for some constant c . 0 • The final error we aim to distinguish from uniform is 6 Shi Bai and Steven D. Galbraith. Lattice Decoding Attacks on Binary LWE. In: ACISP 14 . Ed. by Willy Susilo and Yi Mu. Vol. 8544. LNCS. Springer, Heidelberg, July 2014, pp. 322–337. doi: 10.1007/978-3-319-08344-5_21 . • Aim is to balance ∥ ⟨ w , s ⟩ ∥ ≈ ∥ ⟨ v , e ⟩ ∥ when ∥ s ∥ is small. Λ( A ) = { ( x , y / c ) ∈ Z m × ( 1 / c · Z ) n : x · A ≡ y mod q } • Lattice reduction produces a vector ( v , w ) with ∥ ( v , w ) ∥ ≈ δ ( m + n ) · ( q / c ) n / ( m + n ) . v · A · s + ⟨ v , e ⟩ = ⟨ c · w , s ⟩ + ⟨ v , e ⟩ .

Scaling for Dual Attack From we find c by solving which equalises the noise contributions of both parts of the sum. v · A · s + ⟨ v , e ⟩ = ⟨ c · w , s ⟩ + ⟨ v , e ⟩ . √ α q √ c = · m − n 2 π h

3. Sparse Secrets

Ignoring Components • When the secret is sparse, most columns of A are irrelevant. k k h a hypergeometric distribution • The probability of getting lucky ( s i = 0) when ignoring k random components in dimension n with in total h entries s i ̸ = 0 follows k − 1 ( n − h ) ( ) ∏ P k = 1 − = n − i ( n ) i = 0 • Solving (with high enough probability) ≈ 1 / P k instances in dimension n − k solves our instance at dimension n .

Ignoring Components in Dual Attack 0 . . ... . 0 . . . . ... . . . . . A s k . . s s 0 . . . s k . . . . s 0 . . 0 v 1 . . . . v 2 v v 0     · · · · · ·   a 0 , 0 a 0 , k − 1 a 0 , k a 0 , n − 1 · · · · · ·     a 1 , 0 a 1 , k − 1 a 1 , k a 1 , n − 1         · · · · · ·     a 2 , 0 a 2 , k − 1 a 2 , k a 2 , n − 1         ?      s k − 1  ≈ · ·                   · · · · · ·     a m − 3 , 0 a m − 3 , n − 1 v m − 3 a m − 3 , k − 1 a m − 3 , k            · · · · · ·  a m − 2 , 0 a m − 2 , n − 1   v m − 2 a m − 2 , k − 1 a m − 2 , k     · · · · · · s n − 1 a m − 1 , 0 a m − 1 , n − 1 v m − 1 a m − 1 , k − 1 a m − 1 , k           ? ( )  s k − 1  ≈ a ′ · · · a ′ · · · · 0 , 0   0 , k − 1           s n − 1

Ignoring Components in Dual Attack . 0 . . . ... 0 . s . . . ... . . . 0 A . 0 . . . 0 s k . . . . . s k 0 . . . . 0 v 0 . . v 2 v v 1 .     · · · · · ·   a 0 , 0 a 0 , k − 1 a 0 , k a 0 , n − 1 · · · · · ·     a 1 , 0 a 1 , k − 1 a 1 , k a 1 , n − 1         · · · · · ·     a 2 , 0 a 2 , k − 1 a 2 , k a 2 , n − 1               ≈ · ·                   · · · · · ·     a m − 3 , 0 a m − 3 , n − 1 v m − 3 a m − 3 , k − 1 a m − 3 , k            · · · · · ·  a m − 2 , 0 a m − 2 , n − 1   v m − 2 a m − 2 , k − 1 a m − 2 , k     · · · · · · s n − 1 a m − 1 , 0 a m − 1 , n − 1 v m − 1 a m − 1 , k − 1 a m − 1 , k           ( )   = a ′ · · · a ′ · · · · 0 , 0   0 , k − 1           s n − 1 ⟨ c · w k : , s k : ⟩ + ⟨ v , e ⟩