A Hybrid of Dual and Meet-in-the-Middle Attack on Sparse and Ternary Secret LWE

The dual attack is one of the most efficient attack algorithms for learning with errors (LWE) problem. Recently, an efficient variant of the dual attack for sparse and small secret LWE was reported by Albrecht (Eurocrypt 2017), which forces some LWE-based cryptosystems, especially fully homomorphic encryptions (FHE), to change parameters. In this paper, we propose a new hybrid of dual and meet-in-the-middle (MITM) attack, which outperforms the improved variant on the same LWE parameter regime. To this end, we adapt the MITM attack for NTRU due to Odlyzko to LWE and give a rigorous analysis for it. The performance of our MITM attack depends on the relative size of error and modulus, and hence, for a large modulus LWE samples, our MITM attack works well for quite large error. We then combine our MITM attack with Albrecht’s observation that understands the dual attack as a dimension-error tradeoff, which finally yields our hybrid attack. We also implement a sage module that estimates the attack complexity of our algorithm upon <italic>LWE-estimator</italic>, and our attack shows significant performance improvement for the LWE parameter for FHE. For example, for the LWE problem with dimension <inline-formula> <tex-math notation="LaTeX">$n=2^{15}$ </tex-math></inline-formula>, modulus <inline-formula> <tex-math notation="LaTeX">$q=2^{628}$ </tex-math></inline-formula>, and ternary secret key with Hamming weight 64 which is one parameter set used for <italic>HEAAN</italic> bootstrapping (Eurocrypt 2018), our attack takes 2<sup>112.5</sup> operations and 2<sup>70.6</sup> bit memory, while the previous best attack requires 2<sup>127.2</sup> operations as reported by the <italic>LWE-estimator</italic>.

[1]  Masahiro Yagisawa,et al.  Fully Homomorphic Encryption without bootstrapping , 2015, IACR Cryptol. ePrint Arch..

[2]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[3]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[4]  Thomas Wunderer,et al.  Revisiting the Hybrid Attack: Improved Analysis and Refined Security Estimates , 2016, IACR Cryptol. ePrint Arch..

[5]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[6]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[7]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[8]  Frederik Vercauteren,et al.  Somewhat Practical Fully Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[9]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[10]  Johannes A. Buchmann,et al.  On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack , 2016, AFRICACRYPT.

[11]  Wojciech Banaszczyk,et al.  Inequalities for convex bodies and polar reciprocal lattices inRn , 1995, Discret. Comput. Geom..

[12]  Nicolas Gama,et al.  Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds , 2016, ASIACRYPT.

[13]  Christine van Vredendaal,et al.  A Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE , 2017, PQCrypto.

[14]  Shai Halevi,et al.  Algorithms in HElib , 2014, CRYPTO.

[15]  Yuanmi Chen Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe , 2013 .

[16]  Hao Chen,et al.  Simple Encrypted Arithmetic Library - SEAL v2.1 , 2016, Financial Cryptography Workshops.

[17]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[18]  S. Halevi,et al.  Design and Implementation of a Homomorphic-Encryption Library , 2012 .

[19]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[20]  Jung Hee Cheon,et al.  Bootstrapping for Approximate Homomorphic Encryption , 2018, IACR Cryptol. ePrint Arch..

[21]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[22]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[23]  Martin R. Albrecht On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL , 2017, EUROCRYPT.

[24]  Léo Ducas,et al.  FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second , 2015, EUROCRYPT.

[25]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[26]  Jung Hee Cheon,et al.  Homomorphic Encryption for Arithmetic of Approximate Numbers , 2017, ASIACRYPT.

[27]  Shai Halevi,et al.  Bootstrapping for HElib , 2015, EUROCRYPT.

[28]  Vinod Vaikuntanathan,et al.  Optimized homomorphic encryption solution for secure genome-wide association studies , 2020, BMC Medical Genomics.

[29]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[30]  Xiaoqian Jiang,et al.  Secure Outsourced Matrix Computation and Application to Neural Networks , 2018, CCS.

[31]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[32]  Hao Chen,et al.  Improved Bootstrapping for Approximate Homomorphic Encryption , 2019, IACR Cryptol. ePrint Arch..

[33]  Hao Chen,et al.  Homomorphic Lower Digits Removal and Improved FHE Bootstrapping , 2018, IACR Cryptol. ePrint Arch..

[34]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[35]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.