A new Hybrid Lattice Attack on Galbraith's Binary LWE Cryptosystem

LWE-based cryptosystems are an attractive alternative to traditional ones in the post-quantum era. To minimize the storage cost of part of its public key - a $256 \times 640$ integer matrix, $\textbf{T}$ - a binary version of $\textbf{T}$ has been proposed. One component of its ciphertext, $\textbf{c}_{1}$ is computed as $\textbf{c}_{1} = \textbf{Tu}$ where $\textbf{u}$ is an ephemeral secret. Knowing $\textbf{u}$, the plaintext can be deduced. Given $\textbf{c}_{1}$ and $\textbf{T}$, Galbraith's challenge is to compute $\textbf{u}$ with existing computing resources in 1 year. Our hybrid approach guesses and removes some bits of the solution vector and maps the problem of solving the resulting sub-instance to the Closest Vector Problem in Lattice Theory. The lattice-based approach reduces the number of bits to be guessed while the initial guess based on LP relaxation reduces the number of subsequent guesses to polynomial rather than exponential in the number of guessed bits. Further enhancements partition the set of guessed bits and use a 2-step application of LP. Given the constraint of processor cores and time, a one-time training algorithm learns the optimal combination of partitions yielding a success rate of 9\% - 23\% with 1000 - 100,000 cores in 1 year. This compares favourably with earlier work that yielded 2\% success with 3000 cores.

[1]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[2]  Gottfried Herold,et al.  LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE , 2017, Public Key Cryptography.

[3]  Kim Laine,et al.  Key Recovery for LWE in Polynomial Time , 2015, IACR Cryptol. ePrint Arch..

[4]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[5]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[6]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[7]  Tikaram Sanyashi,et al.  Learning Plaintext in Galbraith's LWE Cryptosystem , 2018, ICETE.

[8]  Brent Waters,et al.  Lossy Trapdoor Functions and Their Applications , 2011, SIAM J. Comput..

[9]  Dan Boneh,et al.  Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE , 2010, CRYPTO.

[10]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[11]  Alexander May,et al.  Parallel Implementation of BDD enumeration for LWE , 2016, IACR Cryptol. ePrint Arch..

[12]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[13]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[14]  Samir Khuller,et al.  The Budgeted Maximum Coverage Problem , 1999, Inf. Process. Lett..

[15]  Steven D. Galbraith Space-efficient variants of cryptosystems based on learning with errors , 2012 .

[16]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[17]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[18]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[19]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.