Key Recovery for LWE in Polynomial Time
نویسندگان
چکیده
We present a generalization of the Hidden Number Problem and generalize the Boneh-Venkatesan method [BV96, Shp05] for solving it in polynomial time. We then use this to mount a key recovery attack on LWE which runs in polynomial time using the LLL lattice basis reduction algorithm. Success can be guaranteed with overwhelming probability for narrow error distribution when q ≥ 2, where n is the dimension of the secret key, and we can give an explicit constant in the exponent, but in practice the performance is significantly better. The same attack can be used to break RLWE for the same parameter ranges. Two main types of attacks are already known for LWE: the distinguishing attack [MR09] and the decoding attack ([LP11]), which uses the BKZ algorithm. Our key recovery attack is interesting because it runs in polynomial time and yields simple and concrete security estimates for a wide range of parameters depending in a clear and explicit way on the effective approximation factor in the LLL algorithm. We ran the attack for hundreds of LWE instances demonstrating successful key recovery attacks and yielding information about the effective approximation factor as the lattice dimension grows (see Figure 3). For example, we successfully recover the secret key for an instance with n = 350 in about 3.5 days on a single machine.
منابع مشابه
Integer Version of Ring-LWE and its Applications
In this work, we describe an integer version of ring-LWE over the polynomial rings and prove that its hardness is equivalent to one of the polynomial ring-LWE. Moreover, we also present a public key cryptosystem using this variant of the polynomial ring-LWE.
متن کاملA Practical Post-Quantum Public-Key Cryptosystem Based on spLWE
The Learning with Errors (LWE) problem has been widely used as a hardness assumption to construct public-key primitives. In this paper, we propose an efficient instantiation of a PKE scheme based on LWE with a sparse secret, named as spLWE. We first construct an IND-CPA PKE and convert it to an IND-CCA scheme in the quantum random oracle model by applying a modified Fujisaki-Okamoto conversion ...
متن کاملAttacks against search Poly-LWE
The Ring-LWE (RLWE) problem is expected to be a computationally-hard problem even with quantum algorithms. The Poly-LWE (PLWE) problem is closely related to the RLWE problem, and in practice a security base for various recently-proposed cryptosystems. In 2014, Eisentraeger et al. proposed attacks against the decision-variant of the PLWE problem (and in 2015, Elias et al. precisely described and...
متن کاملEfficient Ring-LWE Encryption on 8-Bit AVR Processors
Public-key cryptography based on the “ring-variant” of the Learning with Errors (ring-LWE) problem is both efficient and believed to remain secure in a post-quantum world. In this paper, we introduce a carefully-optimized implementation of a ring-LWE encryption scheme for 8-bit AVR processors like the ATxmega128. Our research contributions include several optimizations for the Number Theoretic ...
متن کاملMiddle-Product Learning with Errors
We introduce a new variant MP-LWE of the Learning With Errors problem (LWE) making use of the Middle Product between polynomials modulo an integer q. We exhibit a reduction from the PolynomialLWE problem (PLWE) parametrized by a polynomial f , to MP-LWE which is defined independently of any such f . The reduction only requires f to be monic with constant coefficient coprime with q. It incurs a ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2015 شماره
صفحات -
تاریخ انتشار 2015