On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL
نویسنده
چکیده
We present novel variants of the dual-lattice attack against LWE in the presence of an unusually short secret. These variants are informed by recent progress in BKW-style algorithms for solving LWE. Applying them to parameter sets suggested by the homomorphic encryption libraries HElib and SEAL v2.0 yields revised security estimates. Our techniques scale the exponent of the dual-lattice attack by a factor of (2L)/(2L+1) when log q = Θ(L logn), when the secret has constant hamming weight h and where L is the maximum depth of supported circuits. They also allow to half the dimension of the lattice under consideration at a multiplicative cost of 2 operations. Moreover, our techniques yield revised concrete security estimates. For example, both libraries promise 80 bits of security for LWE instances with n = 1024 and log2 q ≈ 47, while the techniques described in this work lead to estimated costs of 68 bits (SEAL v2.0) and 62 bits (HElib).
منابع مشابه
A New Ring-Based SPHF and PAKE Protocol On Ideal Lattices
emph{ Smooth Projective Hash Functions } ( SPHFs ) as a specific pattern of zero knowledge proof system are fundamental tools to build many efficient cryptographic schemes and protocols. As an application of SPHFs, emph { Password - Based Authenticated Key Exchange } ( PAKE ) protocol is well-studied area in the last few years. In 2009, Katz and Vaikuntanathan described the first lattice-based ...
متن کاملA Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE
Recently, an increasing amount of papers proposing postquantum schemes also provide concrete parameter sets aiming for concrete post-quantum security levels. Security evaluations of such schemes need to include all possible attacks, in particular those by quantum adversaries. In the case of lattice-based cryptography, currently existing quantum attacks are mainly classical attacks, carried out ...
متن کاملOn error distributions in ring-based LWE
Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus q and degree n number field K, generating ring-LWE samples can be perceiv...
متن کاملKey Recovery for LWE in Polynomial Time
We present a generalization of the Hidden Number Problem and generalize the Boneh-Venkatesan method [BV96, Shp05] for solving it in polynomial time. We then use this to mount a key recovery attack on LWE which runs in polynomial time using the LLL lattice basis reduction algorithm. Success can be guaranteed with overwhelming probability for narrow error distribution when q ≥ 2, where n is the d...
متن کامل3 Ring LWE
The learning with errors (LWE) problem is to efficiently distinguish vectors created from a ‘noisy’ set of linear equations between uniformly random vectors. Given a matrix A ∈ Zm×n q and a vector v ∈ Zq , the goal is to determine whether v has been sampled uniformly at random from Zq or whether v = As+ e for some random s ∈ Zq and e ∈ χm, where χ is a small ‘noise’ distribution over Zq. Observ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2017 شماره
صفحات -
تاریخ انتشار 2017