Key Recovery for LWE in Polynomial Time

We discuss a higher dimensional generalization of the Hidden Number Problem and generalize the Boneh-Venkatesan method [BV96, Shp05] for solving it in polynomial time. We then use this to analyze a key recovery (decoding) attack on LWE which runs in polynomial time using the LLL lattice basis reduction algorithm [LLL82] and Babai’s nearest planes method [Bab86]. We prove that success can be guaranteed with overwhelming probability when the error distribution is narrow enough and q ≥ 2, where n is the dimension of the secret key. An explicit constant in the exponent is given, but in practice the performance is observed to be significantly better. Our focus is on attacking the search variant of LWE. Known attacks include combinatorial methods [BKW03, ACFFP13], polynomial system solving (Grobner basis) methods [AG11, ACFP14], and lattice reduction methods [LP11, LN13, BG14, LM09]. Typically the performance of the lattice reduction attacks involves estimating the performance and complexity of BKZ-2.0 [CN11], which is difficult. Still another option is to attack the decision version of LWE [MR09] and use the search-to-decision reductions to break the search problem [BLPRS13, MP12]. Our key recovery attack is interesting because it is runs in polynomial time, and yields simple and concrete security estimates for a wide range of parameters depending in a clear and explicit way on the effective approximation factor in the LLL algorithm and in Babai’s nearest planes method. We ran the attack for hundreds of LWE instances demonstrating successful key recovery attacks and yielding information about the effective approximation factor as the lattice dimension grows (see Figure 3). For example, we successfully recover the secret key for an instance with n = 350 in about 3.5 days on a single machine, provided that the modulus is large enough, and the error distribution narrow enough.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[3]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[4]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[5]  Adam Tauman Kalai,et al.  Noise-tolerant learning, the parity problem, and the statistical query model , 2000, STOC '00.

[6]  Ie Shparlinski Playing "hide-and-seek" with numbers: the hidden number problem, lattices and exponential sums , 2005 .

[7]  Damien Stehlé,et al.  LLL on the Average , 2006, ANTS.

[8]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[9]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[10]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[11]  Daniele Micciancio,et al.  On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem , 2009, CRYPTO.

[12]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[13]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[14]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[15]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[16]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[17]  Vinod Vaikuntanathan,et al.  Can homomorphic encryption be practical? , 2011, CCSW '11.

[18]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[19]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[20]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[21]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[22]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[23]  Daesung Kwon,et al.  Information Security and Cryptology – ICISC 2012 , 2012, Lecture Notes in Computer Science.

[24]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[25]  Frederik Vercauteren,et al.  Somewhat Practical Fully Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[26]  Michael Naehrig,et al.  ML Confidential: Machine Learning on Encrypted Data , 2012, ICISC.

[27]  Nigel P. Smart,et al.  Estimating Key Sizes for High Dimensional Lattice-Based Systems , 2013, IMACC.

[28]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[29]  Michael Naehrig,et al.  Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme , 2013, IMACC.

[30]  Mingjie Liu,et al.  Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[31]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[32]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[33]  Michael Naehrig,et al.  Private Predictive Analysis on Encrypted Medical Data , 2014, IACR Cryptol. ePrint Arch..

[34]  Michael Naehrig,et al.  Private Computation on Encrypted Genomic Data , 2014, LATINCRYPT.

[35]  Michael Naehrig,et al.  A Comparison of the Homomorphic Encryption Schemes FV and YASHE , 2014, AFRICACRYPT.

[36]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[37]  Martin R. Albrecht,et al.  Algebraic Algorithms for LWE , 2015 .

[38]  Steven D. Galbraith,et al.  The Multivariate Hidden Number Problem , 2015, ICITS.

[39]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..