On dual lattice attacks against small-secret LWE and parameter - - PowerPoint PPT Presentation

on dual lattice attacks against small secret lwe and
SMART_READER_LITE
LIVE PREVIEW

On dual lattice attacks against small-secret LWE and parameter - - PowerPoint PPT Presentation

Mar 01, 2023 310 likes •591 views

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin R. Albrecht Information Security Group, Royal Holloway, University of London Learning with Errors or 1 Oded Regev. On lattices, learning with

slide-1
SLIDE 1

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL

Martin R. Albrecht Information Security Group, Royal Holloway, University of London

slide-2
SLIDE 2

Learning with Errors

The Learning with Errors (LWE) problem was defined by Oded Regev.1 Given (A, c) with uniform A ∈ Zm×n

q

, uniform s ∈ Zn

q and small e ∈ Zm

is c ←$ U ( Zm

q

)

  • r

            c             =             ← n → A             ·    s    +             e             .

1Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In: 37th

ACM STOC. ed. by Harold N. Gabow and Ronald Fagin. ACM Press, May 2005, pp. 84–93.

slide-3
SLIDE 3

FHE-schemes based on LWE

BGV Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS 2012. Ed. by Shafi Goldwasser. ACM, Jan. 2012, pp. 309–325, implemented HELib FV Junfeng Fan and Frederik Vercauteren. Somewhat Practical Fully Homomorphic Encryption. Cryptology ePrint Archive, Report 2012/144.

http://eprint.iacr.org/2012/144. 2012, implemented

in SEAL v2

slide-4
SLIDE 4

Small Secrets

  • HElib typically chooses s such that w = 64 entries are ±1 and

all remaining entries are 0, regardless of dimension n.

  • SEAL chooses si ←$ {−1, 0, 1}.

How many bits of security does this cost?

slide-5
SLIDE 5

Hardness: Reductions v Constructions

“A major part of our reduction […] is therefore dedicated to showing reduction from LWE (in dimension n) with arbitrary secret in Zn

q to LWE (in dimension n log2 q) with a secret

chosen uniformly over {0, 1}.”2 “This brings up the question of whether one can get better attacks against LWE instances with a very sparse secret (much smaller than even the noise). […] it seems that the very sparse secret should only add maybe one bit to the modulus/noise ratio.”3

2Zvika Brakerski et al. Classical hardness of learning with errors. In: 45th ACM STOC. ed. by

Dan Boneh, Tim Roughgarden, and Joan Feigenbaum. ACM Press, June 2013, pp. 575–584.

3Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic Evaluation of the AES Circuit.

Cryptology ePrint Archive, Report 2012/099. http://eprint.iacr.org/2012/099. 2012.

slide-6
SLIDE 6

Lattice Attacks

Primal Attack solve Bounded Distance Decoding problem (BDD), i.e. find s′ s.t. ∥w − c∥is minimised, with w = A · s′ using

  • uSVP embedding or
  • Babai’s nearest planes resp. enumeration.

Dual Attack solve Short Integer Solutions problem (SIS) in the left kernel of A, i.e. find a short w such that w · A = 0 and check if ⟨w, c⟩ = w · (A · s + e) = ⟨w, e⟩ is short.

slide-7
SLIDE 7

Dual Attack

A reduced lattice basis contains short vectors. In particular, the first vector is short: ∥v∥ ≈ δm

0 · qn/m.

  • 1. Construct a basis of the dual lattice from A.
  • 2. Run lattice reduction algorithm to obtain short vectors vi.
  • 3. Check if ⟨vi, c⟩ are small.4

4Daniele Micciancio and Oded Regev. Lattice-based Cryptography. In: Post-Quantum

  • Cryptography. Ed. by Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen. Berlin,

Heidelberg, New York: Springer, Heidelberg, 2009, pp. 147–191.

slide-8
SLIDE 8
  • 1. Amortising Costs
slide-9
SLIDE 9

Dual Attack: Trade-off

Given an LWE instance characterised by n, α, q and a vector v of length ∥v∥ such that v · A ≡ 0 (mod q), the advantage ε of distinguishing ⟨v, c⟩ from random is close to5 exp(−π(∥v∥ · α)2). 10 20 30 40 50 60 250 300 350 400 ε = 1/2i log2 (BKZ cost)

5Richard Lindner and Chris Peikert. Better Key Sizes (and Attacks) for LWE-Based Encryption. In:

CT-RSA 2011. Ed. by Aggelos Kiayias. Vol. 6558. LNCS. Springer, Heidelberg, Feb. 2011, pp. 319–339.

slide-10
SLIDE 10

Amplifying Advantage

To achieve constant advantage, repeat experiment ≈ 1/ε2 times for majority vote. 10 20 30 40 50 60 350 400 ε = 1/2i log2 ( 22 i · BKZ cost )

slide-11
SLIDE 11

Just do it™

slide-12
SLIDE 12

Amortising Costs

Avoiding 1/ε2 calls to BKZ in block size β.

  • 1. L ← basis for {y ∈ Zm : y · A ≡ 0 mod q}
  • 2. R ← BKZ-β reduced basis for L
  • 3. Repeat:

3.1 U ←$ a sparse unimodular matrix with small entries 3.2 Ri ← BKZ-β′ reduced basis for U · R 3.3 yi ← shortest row vector in Ri 3.4 wi ← ⟨yi, c⟩

  • 4. Decide if wi is uniform or not.

We give empirical evidence that the quality of Ri isn’t “too bad”: for β′ = 2, they are < 2 · δm

0 · qn/m with δ0 for BKZ-β.

slide-13
SLIDE 13
  • 2. Scaling
slide-14
SLIDE 14

Scaling for Dual Attack

  • We do not need to find v · A ≡ 0 mod q, but any short v such that

v · A = w is short suffices.

  • Consider the normal form of the dual attack on LWE

Λ(A) = {(x, y) ∈ Zm × Zn : x · A ≡ y mod q}

  • Given a short vector (v, w) ∈ Λ(A) compute

⟨v, c⟩ = v · (A · s + e) = ⟨w, s⟩ + ⟨v, e⟩

slide-15
SLIDE 15

Scaling for Dual Attack

  • Aim is to balance ∥ ⟨w, s⟩ ∥ ≈ ∥ ⟨v, e⟩ ∥ when ∥s∥ is small.
  • Scale the lattice6

Λ(A) = {(x, y/c) ∈ Zm × (1/c · Z)n : x · A ≡ y mod q} for some constant c.

  • Lattice reduction produces a vector (v, w) with

∥(v, w)∥ ≈ δ(m+n) · (q/c)n/(m+n).

  • The final error we aim to distinguish from uniform is

v · A · s + ⟨v, e⟩ = ⟨c · w, s⟩ + ⟨v, e⟩ .

6Shi Bai and Steven D. Galbraith. Lattice Decoding Attacks on Binary LWE. In: ACISP 14. Ed. by

Willy Susilo and Yi Mu. Vol. 8544. LNCS. Springer, Heidelberg, July 2014, pp. 322–337. doi:

10.1007/978-3-319-08344-5_21.

slide-16
SLIDE 16

Scaling for Dual Attack

From v · A · s + ⟨v, e⟩ = ⟨c · w, s⟩ + ⟨v, e⟩ . we find c by solving c = α q √ 2 π h · √ m − n which equalises the noise contributions of both parts of the sum.

slide-17
SLIDE 17
  • 3. Sparse Secrets
slide-18
SLIDE 18

Ignoring Components

  • When the secret is sparse, most columns of A are irrelevant.
  • The probability of getting lucky (si = 0) when ignoring k random

components in dimension n with in total h entries si ̸= 0 follows a hypergeometric distribution Pk =

k−1

i=0

( 1 − h n − i ) = (n−h

k

) (n

k

)

  • Solving (with high enough probability) ≈ 1/Pk instances in

dimension n − k solves our instance at dimension n.

slide-19
SLIDE 19

Ignoring Components in Dual Attack

?

v

             v0 v1 v2 . . . vm−3 vm−2 vm−1              ·

A

             a0,0 · · · a0,k−1 a0,k · · · a0,n−1 a1,0 · · · a1,k−1 a1,k · · · a1,n−1 a2,0 · · · a2,k−1 a2,k · · · a2,n−1 . . . ... . . . . . . ... . . . am−3,0 · · · am−3,k−1 am−3,k · · · am−3,n−1 am−2,0 · · · am−2,k−1 am−2,k · · · am−2,n−1 am−1,0 · · · am−1,k−1 am−1,k · · · am−1,n−1              ·

s

            s0 . . . sk−1 sk . . . sn−1            

?

≈ ( a′

0,0

· · · a′

0,k−1

· · · ) ·             s0 . . . sk−1 sk . . . sn−1            

slide-20
SLIDE 20

Ignoring Components in Dual Attack

v

             v0 v1 v2 . . . vm−3 vm−2 vm−1              ·

A

             a0,0 · · · a0,k−1 a0,k · · · a0,n−1 a1,0 · · · a1,k−1 a1,k · · · a1,n−1 a2,0 · · · a2,k−1 a2,k · · · a2,n−1 . . . ... . . . . . . ... . . . am−3,0 · · · am−3,k−1 am−3,k · · · am−3,n−1 am−2,0 · · · am−2,k−1 am−2,k · · · am−2,n−1 am−1,0 · · · am−1,k−1 am−1,k · · · am−1,n−1              ·

s

            . . . sk . . . sn−1             = ( a′

0,0

· · · a′

0,k−1

· · · ) ·             . . . sk . . . sn−1             ⟨c · wk:, sk:⟩ + ⟨v, e⟩

slide-21
SLIDE 21

Postprocessing

a′

0,0 ≈ v

             v0 v1 v2 . . . vm−3 vm−2 vm−1              ·

A

             a0,0 · · · a0,k−1 a0,k · · · a0,n−1 a1,0 · · · a1,k−1 a1,k · · · a1,n−1 a2,0 · · · a2,k−1 a2,k · · · a2,n−1 . . . ... . . . . . . ... . . . am−3,0 · · · am−3,k−1 am−3,k · · · am−3,n−1 am−2,0 · · · am−2,k−1 am−2,k · · · am−2,n−1 am−1,0 · · · am−1,k−1 am−1,k · · · am−1,n−1              ·

s

            1 . . . sk . . . sn−1             ≈ ( a′

0,0

· · · a′

0,k−1

· · · ) ·             1 . . . sk . . . sn−1             a′

0,0 + ⟨c · wk:, sk:⟩ + ⟨v, e⟩

slide-22
SLIDE 22

Postprocessing

The probability to ignore k − j columns with si = 0 and exactly j components with si ̸= 0 is Pk,j = (n−h

k−j

)(h

j

) (n

k

)

  • 1. Repeat overall experiment

(∑ℓ

j=0 Pk,j

)−1 times

  • 2. For each:

2.1 Perform ∑ℓ

i=0

(k

i

) · 2i checks for shifted “small distributions”, reusing short vector output by lattice reduction.

slide-23
SLIDE 23

Overall

slide-24
SLIDE 24

Silke

Variant of dual attack for small (and sparse) secrets:

  • 1. Perform BKZ-β once and then run BKZ-β′ with β′ < β to make

many short vectors

  • 2. Scale the normal form of the dual lattice.
  • 3. If sparse, ignore presumed-zero columns, correcting for

mistakes by checking for shifted distributions.

slide-25
SLIDE 25

Results

n 1024 2048 4096 8192 16384 SEAL (pre 2.1) 80-bit log2 q 47.5 95.4 192.0 392.1 799.6 dual 83.1 78.2 73.7 71.1 70.6 Silkesmall 68.1 69.0 68.2 68.4 68.8 HElib 80-bit log2 q 47.0 87.0 167.0 326.0 638.0 dual 85.2 85.2 85.3 84.6 85.5 Silkesparse 61.3 65.0 67.9 70.2 73.1 HElib 128-bit log2 q 38.0 70.0 134.0 261.0 511.0 dual 110.7 110.1 109.3 108.8 108.9 Silkesparse 73.2 77.4 81.2 84.0 86.4

slide-26
SLIDE 26

Thank you

Questions?

https://ia.cr/2017/047