Quantum Key Search for Ternary LWE

Ternary LWE, i.e., LWE with coefficients of the secret and the error vectors taken from {−1, 0, 1}, is a popular choice among NTRUtype cryptosystems and some signatures schemes like BLISS and GLP. In this work we consider quantum combinatorial attacks on ternary LWE. Our algorithms are based on the quantum walk framework of MagniezNayak-Roland-Santha. At the heart of our algorithms is a combinatorial tool called the representation technique that appears in algorithms for the subset sum problem. This technique can also be applied to ternary LWE resulting in faster attacks. The focus of this work is quantum speed-ups for such representation-based attacks on LWE. When expressed in terms of the search space S for LWE keys, the asymptotic complexity of the representation attack drops from S (classical) down to S (quantum). This translates into noticeable attack’s speedups for concrete NTRU instantiations like NTRU-HRSS [CHES’17] and NTRU Prime [SAC’17]. Our algorithms do not undermine current security claims for NTRU or other ternary LWE based schemes, yet they can lay ground for improvements of the combinatorial subroutines inside hybrid attacks on LWE.

[1]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[2]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[3]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, EUROCRYPT.

[5]  Thomas Johansson,et al.  Coded-BKW: Solving LWE Using Lattice Codes , 2015, CRYPTO.

[6]  Jean-Pierre Tillich,et al.  Quantum Information Set Decoding Algorithms , 2017, PQCrypto.

[7]  Alexander Helm Subset Sum Quantumly in 1.17 , 2018 .

[8]  Frédéric Magniez,et al.  Search via quantum walk , 2006, STOC '07.

[9]  Seiichiro Tani An Improved Claw Finding Algorithm Using Quantum Walk , 2007, MFCS.

[10]  Tanja Lange,et al.  NTRU Prime: Reducing Attack Surface at Low Cost , 2017, SAC.

[11]  Alexander May How to Meet Ternary LWE Keys , 2021, IACR Cryptol. ePrint Arch..

[12]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[13]  Tanja Lange,et al.  Quantum Algorithms for the Subset-Sum Problem , 2013, PQCrypto.

[14]  Xavier Bonnetain,et al.  Improved Classical and Quantum Algorithms for Subset-Sum , 2020, IACR Cryptol. ePrint Arch..

[15]  AmbainisAndris Quantum Walk Algorithm for Element Distinctness , 2007 .

[16]  Gabriel Nivasch,et al.  Cycle detection using a stack , 2004, Inf. Process. Lett..

[17]  Antoine Joux,et al.  Improved Generic Algorithms for Hard Knapsacks , 2011, IACR Cryptol. ePrint Arch..

[18]  Andris Ambainis,et al.  Quantum walk algorithm for element distinctness , 2003, 45th Annual IEEE Symposium on Foundations of Computer Science.

[19]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[20]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[21]  Nick Howgrave-Graham,et al.  A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU , 2007, CRYPTO.

[22]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[23]  Pierre-Alain Fouque,et al.  An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices , 2015, IACR Cryptol. ePrint Arch..

[24]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[25]  Howard E. Brandt,et al.  Quantum computation and information : AMS Special Session Quantum Computation and Information, January 19-21, 2000, Washington, D.C. , 2002 .

[26]  RegevOded,et al.  On Ideal Lattices and Learning with Errors over Rings , 2013 .

[27]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[28]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[29]  Peter Schwabe,et al.  High-speed key encapsulation from NTRU , 2017, IACR Cryptol. ePrint Arch..

[30]  J. Pollard A monte carlo method for factorization , 1975 .

[31]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[32]  Antoine Joux,et al.  New Generic Algorithms for Hard Knapsacks , 2010, EUROCRYPT.

[33]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[34]  Frédéric Magniez,et al.  Quantum Algorithms for Element Distinctness , 2005, SIAM J. Comput..