Revisiting the Hybrid Attack: Improved Analysis and Refined Security Estimates

Over the past decade, the hybrid lattice reduction and meetin-the middle attack (called the Hybrid Attack) has been used to evaluate the security of many lattice-based cryprocraphic schemes such as NTRU, NTRU prime, BLISS, and more. However, unfortunately none of the previous analyses of the Hybrid Attack is entirely satisfactory: they are based on simplifying assumptions that may distort the security estimates. Such simplifying assumptions include setting probabilities equal to 1, which, for the parameter sets we analyze in this work, are in fact as small as 2−92. Many of these assumptions yield more conservative security estimates. However, some lead to overestimating the scheme’s security, and without further analysis, it is not clear which is the case. Therefore, the current security estimates against the Hybrid Attack are not reliable and the actual security levels of many lattice-based schemes are unclear. In this work we present an improved runtime analysis of the Hybrid Attack that gets rid of incorrect simplifying assumptions. Our improved analysis can be used to derive reliable and accurate security estimates for many lattice-based schemes. In addition, we reevaluate the security against the Hybrid Attack for the NTRU, NTRU prime, and RBinLWEEnc encryption schemes as well as for the BLISS and GLP signature schemes. Our results show that there exist both overand underestimates of up to 80 bits of security in the literature. Our results further show that the common claim that the Hybrid Attack is the best attack on all NTRU parameter sets is in fact a misconception based on incorrect analyses of the attack.

[1]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[2]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[3]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[4]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[5]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[6]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[7]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[8]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[9]  Yuanmi Chen Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe , 2013 .

[10]  Ronald F. Boisvert,et al.  NIST Handbook of Mathematical Functions , 2010 .

[11]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[12]  Tsuyoshi Takagi,et al.  Improved Progressive BKZ Algorithms and Their Precise Cost Estimation by Sharp Simulator , 2016, EUROCRYPT.

[13]  William Whyte,et al.  Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches , 2009, ACNS.

[14]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[15]  John Schanck,et al.  Practical Lattice Cryptosystems: NTRUEncrypt and NTRUMLS , 2015 .

[16]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[17]  Johannes A. Buchmann,et al.  On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack , 2016, AFRICACRYPT.

[18]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[19]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[20]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[21]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[22]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[23]  László Babai,et al.  On Lovász' Lattice Reduction and the Nearest Lattice Point Problem (Shortened Version) , 1985, STACS.

[24]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[25]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[26]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.