Sublattice Attacks on Ring-LWE with Wide Error Distributions I

Since the Lyubashevsky-Peikert-Regev Eurocrypt 2010 paper the Ring-LWE has been the hard computational problem for lattice cryptographic constructions. The fundamental problem is its hardness which has been based on the conjectured hardness of approximating idealSIVP or ideal-SVP. Though it is now widely conjectured both are hard in classical and quantum computation model there have no sufficient attacks proposed and considered. In this paper we propose sublattice attacks on Ring-LWE over an arbitrary number field from sublattice pairs. We give a sequence of number fields Kn of degree dn −→ ∞, such that the decision Ring-LWE with very wide error distributions over integer rings of Kn can be solved by a polynomial (in dn) time algorithm from our sublattice attack. The widths of error distributions in our attack is in the range of Peikert-Regev-Stephens-Davidowitz hardness reduction results in their STOC 2017 paper. Hence we also prove that approximating ideal-SIV Ppoly(d) with some polynomial factor for ideal lattices in these number fields can be solved by a polynomial time quantum algorithm.

[1]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[2]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[3]  Pierre-Alain Fouque,et al.  An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices , 2015, IACR Cryptol. ePrint Arch..

[4]  Helmut Hasse,et al.  Number Theory , 2020, An Introduction to Probabilistic Number Theory.

[5]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[6]  Hao Chen Sublattice Attacks on LWE over Arbitrary Number Field Lattices , 2019 .

[7]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[8]  Hao Chen,et al.  Ring-LWE over two-to-power cyclotomics is not hard , 2021, IACR Cryptol. ePrint Arch..

[9]  H. Cohen A course in computational number theory , 1993 .

[10]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[11]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[12]  Daniel Dadush,et al.  Solving the Closest Vector Problem in 2^n Time -- The Discrete Gaussian Strikes Again! , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[13]  KEITH CONRAD,et al.  THE DIFFERENT IDEAL , 2009 .

[14]  Maurice Mignotte Bounds for the Roots of Lacunary Polynomials , 2000, J. Symb. Comput..

[15]  Kristin E. Lauter,et al.  Provably Weak Instances of Ring-LWE , 2015, CRYPTO.

[16]  Ronald Cramer,et al.  Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[17]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[18]  Oded Regev,et al.  On the Complexity of Lattice Problems with Polynomial Approximation Factors , 2010, The LLL Algorithm.

[19]  Subhash Khot,et al.  Inapproximability Results for Computational Problems on Lattices , 2010, The LLL Algorithm.

[20]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[21]  Noah Stephens-Davidowitz,et al.  Lattice Reduction for Modules, or How to Reduce ModuleSVP to ModuleSVP , 2020, IACR Cryptol. ePrint Arch..

[22]  E. Bayer-Fluckiger Ideal Lattices , 2012 .

[23]  Damien Stehlé,et al.  On the Ring-LWE and Polynomial-LWE problems , 2018, IACR Cryptol. ePrint Arch..

[24]  Damien Stehlé,et al.  Approx-SVP in Ideal Lattices with Pre-processing , 2019, IACR Cryptol. ePrint Arch..

[25]  Adam Tauman Kalai,et al.  Noise-tolerant learning, the parity problem, and the statistical query model , 2000, STOC '00.

[26]  Martin R. Albrecht On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL , 2017, EUROCRYPT.

[27]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[28]  Marina Daecher,et al.  Introduction To Cyclotomic Fields , 2016 .

[29]  RegevOded On lattices, learning with errors, random linear codes, and cryptography , 2009 .

[30]  Amit Sahai,et al.  Homomorphic Encryption Standard , 2019, IACR Cryptol. ePrint Arch..

[31]  M. Taylor INTRODUCTION TO CYCLOTOMIC FIELDS(Graduate Texts in Mathematics, 83) , 1983 .

[32]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[33]  Léo Ducas,et al.  On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm , 2019, IACR Cryptol. ePrint Arch..

[34]  Katherine E. Stange Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm , 2019, IACR Cryptol. ePrint Arch..

[35]  RegevOded,et al.  On Ideal Lattices and Learning with Errors over Rings , 2013 .

[36]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[37]  Kristin E. Lauter,et al.  Weak Instances of PLWE , 2014, Selected Areas in Cryptography.

[38]  Hao Chen,et al.  Security Considerations for Galois Non-dual RLWE Families , 2016, SAC.

[39]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[40]  Chris Peikert,et al.  A Decade of Lattice Cryptography , 2016, Found. Trends Theor. Comput. Sci..

[41]  Chris Peikert,et al.  Pseudorandomness of ring-LWE for any ring and modulus , 2017, STOC.

[42]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.