LWE with Side Information: Attacks and Concrete Security Estimation

We propose a framework for cryptanalysis of lattice-based schemes, when side information—in the form of “hints”—about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information.

[1]  Frederik Vercauteren,et al.  Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes , 2019, Public Key Cryptography.

[2]  William Whyte,et al.  Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign , 2010, The LLL Algorithm.

[3]  Mehdi Tibouchi,et al.  LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS , 2018, IACR Cryptol. ePrint Arch..

[4]  Frederik Vercauteren,et al.  On the impact of decryption failures on the security of LWE/LWR based schemes , 2018, IACR Cryptol. ePrint Arch..

[5]  Fernando Virdia,et al.  Revisiting the Expected Cost of Solving uSVP and Applications to LWE , 2017, ASIACRYPT.

[6]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[7]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[8]  Damien Stehlé,et al.  Measuring, simulating and exploiting the head concavity phenomenon in BKZ , 2018, IACR Cryptol. ePrint Arch..

[9]  Fernando Virdia,et al.  (One) failure is not an option: Bootstrapping the search for failures in lattice-based encryption schemes , 2020, IACR Cryptol. ePrint Arch..

[10]  J. Martinet Perfect Lattices in Euclidean Spaces , 2010 .

[11]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[12]  Elisabeth Oswald,et al.  Assessing the Feasibility of Single Trace Power Analysis of Frodo , 2018, IACR Cryptol. ePrint Arch..

[13]  Joseph H. Silverman,et al.  Dimension Reduction Methods for Convolution Modular Lattices , 2001, CaLC.

[14]  Leonid Khachiyan,et al.  On the Complexity of Approximating Extremal Determinants in Matrices , 1995, J. Complex..

[15]  Yang Yu,et al.  Second Order Statistical Behavior of LLL and BKZ , 2017, SAC.

[16]  Alexander Nilsson,et al.  A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke , 2019, IACR Cryptol. ePrint Arch..

[17]  Zvika Brakerski,et al.  Order-LWE and the Hardness of Ring-LWE with Entropic Secrets , 2018, IACR Cryptol. ePrint Arch..

[18]  Shaun Miller,et al.  A refined analysis of the cost for solving LWE via uSVP , 2019, IACR Cryptol. ePrint Arch..

[19]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[20]  Martin R. Albrecht,et al.  The General Sieve Kernel and New Records in Lattice Reduction , 2019, IACR Cryptol. ePrint Arch..

[21]  Peter Pessl,et al.  Differential Fault Attacks on Deterministic Lattice Signatures , 2018, IACR Cryptol. ePrint Arch..

[22]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[23]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[24]  Mahabir Prasad Jhanwar,et al.  Exploiting Determinism in Lattice-based Signatures: Practical Fault Attacks on pqm4 Implementations of NIST Candidates , 2019, AsiaCCS.

[25]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[26]  Kenneth G. Paterson,et al.  Cold Boot Attacks on Ring and Module LWE Keys Under the NTT , 2018, IACR Cryptol. ePrint Arch..

[27]  Elisabeth Oswald,et al.  Towards Practical Tools for Side Channel Aware Software Engineering: 'Grey Box' Modelling for Instruction Leakages , 2017, USENIX Security Symposium.

[28]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[29]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[30]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[31]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[32]  Adi Shamir,et al.  Lattice Attacks on NTRU , 1997, EUROCRYPT.

[33]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[34]  Mahabir Prasad Jhanwar,et al.  Side-channel Assisted Existential Forgery Attack on Dilithium - A NIST PQC candidate , 2018, IACR Cryptol. ePrint Arch..