A Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE

Recently, an increasing amount of papers proposing post-quantum schemes also provide concrete parameter sets aiming for concrete post-quantum security levels. Security evaluations of such schemes need to include all possible attacks, in particular those by quantum adversaries. In the case of lattice-based cryptography, currently existing quantum attacks are mainly classical attacks, carried out with quantum basis reduction as subroutine.

[1]  Christine van Vredendaal Reduced Memory Meet-in-the-Middle Attack against the NTRU Private Key , 2016, IACR Cryptol. ePrint Arch..

[2]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[3]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[4]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[5]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[6]  John Schanck,et al.  Practical Lattice Cryptosystems: NTRUEncrypt and NTRUMLS , 2015 .

[7]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[8]  Johannes A. Buchmann,et al.  On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack , 2016, AFRICACRYPT.

[9]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[10]  Ronald F. Boisvert,et al.  NIST Handbook of Mathematical Functions , 2010 .

[11]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[12]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[13]  Brent Waters,et al.  Lossy Trapdoor Functions and Their Applications , 2011, SIAM J. Comput..

[14]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[15]  William Whyte,et al.  Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches , 2009, ACNS.

[16]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[17]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[18]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[19]  Martin R. Albrecht,et al.  A Generator for LWE and Ring-LWE Instances , 2013 .

[20]  Thomas Wunderer,et al.  Revisiting the Hybrid Attack: Improved Analysis and Refined Security Estimates , 2016, IACR Cryptol. ePrint Arch..

[21]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[22]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[23]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[24]  Yuanmi Chen Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe , 2013 .

[25]  Irene A. Stegun,et al.  Handbook of Mathematical Functions. , 1966 .

[26]  Markus Schmidt,et al.  Estimation of the hardness of the learning with errors problem with a restricted number of samples , 2019, IACR Cryptol. ePrint Arch..

[27]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[28]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[29]  William Whyte,et al.  Practical Signatures from the Partial Fourier Recovery Problem , 2014, IACR Cryptol. ePrint Arch..

[30]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[31]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[32]  Ran Canetti,et al.  Advances in Cryptology , 2016 .

[33]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[34]  Shi Bai,et al.  An Improved Compression Technique for Signatures Based on Learning with Errors , 2014, CT-RSA.

[35]  Chris Peikert,et al.  A Decade of Lattice Cryptography , 2016, Found. Trends Theor. Comput. Sci..

[36]  Erdem Alkim,et al.  NewHope without reconciliation , 2016, IACR Cryptol. ePrint Arch..

[37]  Tim Güneysu,et al.  High-Performance and Lightweight Lattice-Based Public-Key Encryption , 2016, IoTPTS@AsiaCCS.

[38]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.