Embed Size (px)
Citation preview
Practical Analysis of Key Recovery Attackagainst Search-LWE Problem
The 11th International Workshop on Security, Sep. 13th 2016
Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda
Graduate School of Mathematics, Kyushu University
Institute of Mathematics for Industry
JST, CREST
1 1 1 2, 3
1
2
3
Contents
1. Introduction
1-1. Cryptography and (Computational) Mathematics
The security of a number of modern cryptosystems relies oncomputational hardness of mathematical problems.
Modern cryptography is roughly divided into:
- Lattice-based cryptography (this study)- Code-based cryptography- Multivariate cryptography
Definition (lattice and its basis).
Given linearly independent vectors 𝐛1, … , 𝐛𝑛 ∈ ℝ𝑚,
the lattice ℒ ⊂ ℝ𝑚 generated by ℬ:= {𝐛1, … , 𝐛𝑛} is defined as a set of all integral linear combinations of 𝐛1, … , 𝐛𝑛, that is,
𝑚 : the dimension of ℒ ⊂ ℝ𝑚
rank ℒ ≔ 𝑛 ; the rank of ℒNote : rank(ℒ) is invariant, and the
quality of bases is important for solving computational problems.
1-2. Definition of lattice
ℬ : a basis of ℒ.
𝐛1
𝐛2
𝐮 = 3𝐛1 + 𝐛2
ℒ ≔
𝑖=1
𝑛
𝑥𝑖𝐛𝑖 ∶ 𝑥𝑖 ∈ ℤ for all 1 ≤ 𝑖 ≤ 𝑛
Example of 2-dimensional and 2-rank lattices
1-3. Lattice-based cryptography
The security of the lattice-based cryptography relies on the computational hardness of problems [MG02] in the lattice theory, e.g.,
- Shortest Vector Problem (SVP),- Closest Vector Problem (CVP),- Learning With Errors problem (LWE), etc.
[MG02] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective, Kluwer (2002)
Note : The quality of bases of lattices is very important for solving the above problems.
1-4. Closest Vector Problem (CVP)
Definition (Closest Vector Problem).
Given : ℬ = {𝐛1, … , 𝐛𝑛} ; a basis of a lattice ℒ ⊂ ℝ𝑚,𝐯 ∈ ℝ𝑚 ∩ Span{𝐛1, … , 𝐛𝑛} with 𝐯 ∉ ℒ|| ⋅ || ; a norm on ℝ𝑚 (typically the Euclidean norm)
CVP is to find the closest lattice point 𝐮 ∈ ℒ to 𝐯 w.r.t. || ⋅ ||,i.e., | 𝐮 − 𝐯 | ≤ | 𝐰 − 𝐯 | for all 𝐰 ∈ ℒ.
𝐛1
𝐛2𝐯
𝐮
1-5. Learning With Errors (LWE)
The learning with errors (LWE) was proposed by Regev [Reg05] in 2005, and it is- a problem to solve (non-homogeneous) linear equations over a finite filed, and- said to be a computational-hard problem.Several encryption schemes based on LWE have been published,e.g., [BCV12], [GGH15].
[Reg05] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, STOC 2005, ACM, 84-93 (2005)[BCV12] Z. Brakerski, C. Gentry and V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping,
ITCS 2012, ACM, 309-325 (2012)[GGH15] C. Gentry, S. Gorbunov and S. Halevi, Graph-induced multilinear maps from lattices,
TCC 2015, Springer LNCS 9015, 498-527 (2015)
In order to construct more secure cryptosystems,it is crucial to analyze the security of LWE.
1-6. Example of the (search-)LWE problem
Then find (𝑠1, 𝑠2) (or (𝑒1, 𝑒2, 𝑒3, 𝑒4) ).
10𝑠1 − 𝑠2 + 𝑒1 = 3 (mod 31)7𝑠1 − 2𝑠2 + 𝑒2 = −10 (mod 31)3𝑠1 + 𝑠2 + 𝑒3 = 12 (mod 31)𝑠1 − 4𝑠2 + 𝑒4 = 1 (mod 31)
The (search-)LWE problem essentially means to solve linear congruences,(a precise definition is given later)e.g.,
where 𝑠𝑗 ∈ −31
2,31
2∩ ℤ and in this case suppose 𝑒𝑖 ∈ {0, ±1}.
1-7. Definition of the LWE distribution
𝑎1,1𝑠1 +⋯+ 𝑎1,𝑛𝑠𝑛 + 𝑒1 = 𝑡1 (mod 𝑞)
𝑎2,1𝑠1 +⋯+ 𝑎2,𝑛𝑠𝑛 + 𝑒2 = 𝑡2 (mod 𝑞)
⋮𝑎𝑑,1𝑠1 +⋯+ 𝑎𝑑,𝑛𝑠2 + 𝑒𝑑 = 𝑡𝑑 (mod 𝑞)
𝑞 : odd prime, ℤ𝑞 ≔ −𝑞
2,𝑞
2∩ ℤ, 𝜎 : the standard deviation,
where 𝑀𝑑,𝑛 ℤ ≔ { 𝑑 × 𝑛 matrix over ℤ},
each entry of 𝐴 = 𝑎𝑖,𝑗 𝑖,𝑗is uniformly chosen from ℤ𝑞,
𝐬 = 𝑠𝑗 𝑗 ∈ ℤ𝑞𝑛 : fixed “secret” (column) vector,
𝐞 = 𝑒𝑖 𝑖 ∈ ℤ𝑑 : “error (or noise)” vector chosen by the Gaussian dist. 𝐷𝜎,ℤ
Given 𝑛, 𝑞, 𝑑 and 𝜎, the LWE distribution is the distribution on 𝑀𝑑,𝑛 ℤ × ℤ𝑞𝑑 by pairs (𝐴, 𝐭) s.t.
𝐴𝐬 + 𝐞 = 𝐭 (mod 𝑞), i.e.,
Definition (LWE distribution).
1-8. Definition of the LWE problem
Given 𝑛, 𝑞, 𝑑, 𝜎 and 𝐴, 𝐭 ∈ 𝑀𝑑,𝑛 ℤ × ℤ𝑞𝑑,
Decision-LWE (problem) : Decide whether 𝐴, 𝐭 is sampled from the LWE
distribution defined by (𝑛, 𝑞, 𝑑, 𝜎) or the uniform distribution on 𝑀𝑑,𝑛 ℤ × ℤ𝑞𝑑.
Search-LWE (problem ): If 𝐴, 𝐭 is sampled by the LWE distribution, recover 𝐬 ∈ℤ𝑞𝑛.
Definition (LWE problem).
This study
1-9. Our study and motivation
Our study :Key recovery attack without enumeration for LWE
Determine which LWE instances (𝑛, 𝑞, 𝑑, 𝜎) can be solved by the key recovery attack without enumeration.
Our Motivation :
Investigate the quality of bases of special lattices in LWE.
Our Technical Point :
Contents
1. Introduction
2. Overview of Key Recovery Attack
3. Our analysis on Key Recovery Attack
4. Conclusion
2-1. Known attack for LWE
1. Lattice-based attack
At present, there are three kind of attacks for the search-LWE [APS15] :
3. Algebraic attack (Arora-Ge’s method [AG11], [ACF14])
- Reduce the search-LWE to solving algebraic equations over a finite field
- Reduce the search-LWE to CVP
(!) This talk is devoted to the first type attack.
[APS15] M. R. Albrecht, R. Player and S. Scott, On the concrete hardness of learning with errors, J. Math. Cryptol. 9(3) 169-203 (2015)[AG11] S. Arora and R. Ge, New algorithms for learning in presence of errors, In Automata, Languages and Programming, Springer LNCS 6755,
403-415 (2011)[ACF14] M. A. Albrecht, C. Cid, J.-C. Faugere and L. Perret, Algebraic algorithms for LWE, IACR ePrint 2014/1018 (2014)[BKW03] A. Blum, A. Kalai, and H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model, J. ACM, 506–519 (2003)
2. Combinatorial attack (Blum-Kalai-Wasserman’s algorithm [BKW03])- Apply the Gaussian elimination to obtain a sample with only one non-
zero coordinate, and then execute brute-force
2-2. Lattice-based attacks against search-LWE
1. Bounded Distance Decoding (BDD), or Key Recovery Attack
At present, there are three well-known attacks for the search-LWE [APS15] :
- Reduce the search-LWE to CVP- Solve CVP with [Ba86] or [LP11] and enumeration algorithms
[Ba86] On Lovász' lattice reduction and the nearest lattice point problem, Combinatorica 6, Issue 1, 1-13 (1986)[Ka87] R. Kannan, Minkowski’s convex body theorem and integer programming, Math. Oper. Res. 12, 415–440 (1987)[LP11] R. Lindner and C. Peikert, Better key sizes (and attacks) for LWE-based encryption, CT-RSA 2011, Springer, LNCS 6558, 319-339 (2011)
[LL15] K. Laine and K. Lauter, Key recovery for LWE in polynomial time, IACR ePrint 2015/176 (2015)[MR09] D. Micciancio and O. Regev, Lattice-based cryptography, In: Proce. of Post Quantum Cryptography, Springer, 147-191 (2009)
2. Lattice reduction on the kernel (Dual lattice reduction strategy), [MR09]
3. Embedding approach (Kannan’s embedding technique), [Ka87]
- Apply lattice reduction to the dual lattice, which is the kernel lattice derived from sampled matrices
- Solve CVP by the obtained short vector
- An LWE instance is transformed from a CVP instance to a SVP instances
2-3. Summary on Lattice-based attacks against search-LWE
Attacks against Search-LWE (Our focus)
Lattice-based attack (Our focus) Combinatorial attack
- BKW algorithm
Algebraic attack
- Arora-Ge’s methodby solving algebraicequations
BDD, or Key recovery attack Dual lattice reduction
Embedding approach
Lattice reduction + CVP algorithms
- with CVP enumeration
- without CVP enumeration
- with CVP enumeration- without CVP enumeration
- with CVP enumeration- without CVP enumeration
Considering that we can completely solve CVP with enumeration algorithms,lattice-based attacks against search-LWE are schematized as follows :
Our study is concerned with Key recovery attack without enumeration.
2-4. Outline of the key recovery attack
The concept of this attack : reduce the search-LWE to CVP.
Step 1. Construct a 𝑑 + 𝑛 × 𝑑 matrix 𝐴𝑞 :
𝐴𝑞 =
𝑞
⋱𝑞
𝑎1,1 ⋯ 𝑎𝑑,1⋮ ⋮𝑎1,𝑛 ⋯ 𝑎𝑑,𝑛
ℒ(𝐴𝑞) : the (𝑞-ary) lattice in ℝ𝑑 generated by
all the row vectors of 𝐴𝑞.
Note : rank ℒ 𝐴𝑞 = 𝑑, and 𝐴𝐬 (mod 𝑞) ∈ ℒ(𝐴𝑞)
Step 2. Execute a lattice basis reduction (e.g., LLL, bKZ) to 𝐴𝑞 and
obtain a “good” basis matrix 𝐵 of ℒ(𝐴𝑞).
Step 3. Solve CVP for inputs 𝐵 and 𝐭 to find 𝐴𝐬 (mod 𝑞).(CVP method : Babai nearest plane, Babai rounding, etc.)
It suffices to recover the vector 𝐴𝐬 (mod 𝑞). 𝑑
𝑑
𝑛
(!) Assumption : 𝐭 ≔ 𝐴𝐬 + 𝐞 mod 𝑞 = 𝐴𝐬 mod 𝑞 + 𝐞
2-5. Detail on Step 2 : lattice basis reduction
Step 2. Execute a lattice basis reduction (e.g., LLL, bKZ) to 𝐴𝑞 and
obtain a “good” basis matrix 𝐵 of the 𝑞-ary lattice ℒ(𝐴𝑞)
𝐴𝑞
Lattice basis reduction (LLL, bKZ)
𝐵
- The “reduced” basis matrix 𝐵 has good propertiesto solve CVP for inputs 𝐵 and 𝐭.
- ℒ(𝐴𝑞) is a special lattice, called 𝑞-ary, and it has different properties
from usual (or random) lattices.
- For a given basis of a lattice, lattice basis reduction computes another basis of the lattice.
2-6. Recent works on the key recovery attack
Laine-Lauter’s papar [LL15] has many experimental results on this attack that give information about the effective approximation factor in the LLLand implies which parameters 𝑛, 𝑞, 𝑑 for search-LWE are solvable.
Our analysis is to determine conditions which the reduced basis should satisfy,also guarantees their experimental results.
Table 1. Difference between Laine-Lauter’s analysis and ours
[LL15] Ours
Motivation Estimate which parameters for search-LWE are solvable by BDD
Characteristic Much data about the effective approximation factor in the LLL
Focus on the quality of the reduced bases of 𝒒-ary lattices
Lattice reduction in Step 2 LLL LLL, bKZ-20
CVP method in Step 3 Babai nearest plane
Contents
1. Introduction
2. Overview of Key Recovery Attack
3. Our analysis on Key Recovery Attack
4. Conclusion
3-1. Babai nearest plane alg. in Step 3
Step 3. Solve CVP for inputs 𝐵 and 𝐭 to find 𝐴𝐬 (mod 𝑞).
Babai nearest plane alg. outputs a lattice point 𝐯 ∈ ℒ(𝐴𝑞) s.t.
𝐵 : the LLL reduced basis of ℒ(𝐴𝑞) obtained in Step 2
𝐛𝑖 : the 𝑖-th row vector of 𝐵 (1 ≤ 𝑖 ≤ 𝑑)
(i) 𝐯 − 𝐭 < 2𝑑/2 𝐮 − 𝐭 for all 𝐮 ∈ ℒ(𝐴𝑞),
(ii) 𝐯 ∈ 𝐭 + 𝒫 𝐵∗ ≔ 𝐭 + 𝑖=1𝑑 𝑥𝑖𝐛𝑖
∗ −1
2< 𝑥𝑖 ≤
1
2,
where 𝐛1∗ , … , 𝐛𝑑
∗ : Gram-Schmidt orthogonalization basis of 𝐛1, … , 𝐛𝑑 .
Moreover, (𝐭 + 𝒫 𝐵∗ ) ∩ ℒ 𝐴𝑞 = 𝐯 ,
Step 3. Solve CVP for inputs 𝐵 and 𝐭 to find 𝐴𝐬 (mod 𝑞).
Babai nearest plane alg. outputs a lattice point 𝐯 ∈ ℒ(𝐴𝑞) s.t.
𝐵 : the LLL reduced basis of ℒ(𝐴𝑞) obtained in Step 2
𝐛𝑖 : the 𝑖-th row vector of 𝐵 (1 ≤ 𝑖 ≤ 𝑑)
(i) 𝐯 − 𝐭 < 2𝑑/2 𝐮 − 𝐭 for all 𝐮 ∈ ℒ(𝐴𝑞),
(ii) 𝐯 ∈ 𝐭 + 𝒫 𝐵∗ ≔ 𝐭 + 𝑖=1𝑑 𝑥𝑖𝐛𝑖
∗ −1
2< 𝑥𝑖 ≤
1
2,
Moreover, (𝐭 + 𝒫 𝐵∗ ) ∩ ℒ 𝐴𝑞 = 𝐯 ,
Recall : The vector 𝐴𝐬 (mod 𝑞) is recovered in Step 3
⟺𝐴𝐬 (mod 𝑞) = 𝐯 ∈ 𝐭 + 𝒫(𝐵∗) ⟺ 𝐭 − 𝐴𝐬 mod 𝑞 ∈ 𝒫(𝐵∗)
𝐞 (error vector)
3-2. Successful case of Step 3
3-3. Our heuristic estimation
𝐞 ∈ 𝒫(𝐵∗)
⟺ |𝑦𝑖| ≤1
2for all 𝑖
Write 𝐞 = 𝑖=1𝑑 𝑦𝑖𝐛𝑖
∗ (∃! 𝑦𝑖 ∈ ℝ)
⟺𝐞,𝐛𝑖∗
𝐛𝑖∗ 2<1
2for all 𝑖
( ∵ 𝐞, 𝐛𝑖∗ = 𝑦𝑖 𝐛𝑖
∗ 2)
Heuristically, 𝐞,𝐛𝑖∗
𝐛𝑖∗ 2≈𝐞 ⋅ 𝐛𝑖∗
𝑑 𝐛𝑖∗ 2= 𝐞
𝑑 𝐛𝑖∗
Since 𝐞 ≈ 𝜎 𝑑, it is estimated that Step 3 succeeds if and only if
2𝜎 < 𝐛𝑖∗ for all 𝑖 ⟺ 2𝜎 < min
1≤𝑖≤𝑑𝐛𝑖∗
3-4. 𝑞-ary lattice in Step 2
Investigate min1≤𝑖≤𝑑𝐛𝑖∗ =
min1≤𝑖≤𝑑
𝐛𝑖∗
𝑞 𝑑−𝑛 /𝑑
1
𝑑
𝑑
⋅ 𝑞𝑑−𝑛
𝑑
Set 𝑐𝐿𝐿𝐿 ≔min1≤𝑖≤𝑑
𝐛𝑖∗
𝑞 𝑑−𝑛 /𝑑
1
𝑑, and experimentally investigate the values 𝑐𝐿𝐿𝐿 for
𝑞-ary lattices obtained from LWE samples.
By our experiments, we estimate that𝑐𝐿𝐿𝐿 = 0.9775 at minimum, and 𝑐𝑏𝐾𝑍20 = 0.9863 at minimum for 𝑞-ary latticescf. By some calculations with experimental results in [GN08],
we expected 𝑐𝐿𝐿𝐿 = 0.982596 on average for random lattices.
[GN08] N. Gama and P. Q. Nguyen, Predicting lattice reduction, In Advances in Cryptology-EUROCRYPT 2008,Springer LNCS 4965, 31-51 (2008)
3-5. A piece of our experimental results (LLL)
0
2
4
6
8
10
12
14
16
18
20
0.9
77
5
0.9
77
7
0.9
77
9
0.9
78
1
0.9
78
3
0.9
78
5
0.9
78
7
0.9
78
9
0.9
79
1
0.9
79
3
0.9
79
5
0.9
79
7
0.9
79
9
0.9
80
1
0.9
80
3
0.9
80
5
0.9
80
7
0.9
80
9
0.9
81
1
Frequency distribution of the values 𝑐𝐿𝐿𝐿 ≔min1≤𝑖≤𝑑
𝐛𝑖∗
𝑞 𝑑−𝑛 /𝑑
1 /𝑑
for LLL-reduced bases 𝐛1, … , 𝐛𝑑
of 𝑞-ary lattices in 100 LWE samples :Case of 𝑛, 𝑟, 𝑑 = (100,50,300)Minimum: 0.977566, Average: 0.978622
0
2
4
6
8
10
12
0.9
77
5
0.9
77
7
0.9
77
9
0.9
78
1
0.9
78
3
0.9
78
5
0.9
78
7
0.9
78
9
0.9
79
1
0.9
79
3
0.9
79
5
0.9
79
7
0.9
79
9
0.9
80
1
0.9
80
3
0.9
80
5
0.9
80
7
0.9
80
9
0.9
81
1
Case of 𝑛, 𝑟, 𝑑 = (80,50,255)Minimum: 0.977516, Average: 0.978815
cf. 𝑐𝐿𝐿𝐿 = 0.982596 on average for random lattices.
3-6. Estimation of successful range
With 𝑐𝐿𝐿𝐿 = 0.9775, the inequality (#) gives a boundary to determine which LWE instance (𝑛, 𝑞, 𝑑, 𝜎) can be solved by the attack with LLL + Babai nearest plane.
2𝜎 < min1≤𝑖≤𝑑𝐛𝑖∗ ⟺2𝜎 < 𝑐𝐿𝐿𝐿
𝑑 ⋅ 𝑞 𝑑−𝑛 /𝑑
⟺ log2 𝜎 < 𝑑 log2 𝑐𝐿𝐿𝐿 +𝑟(𝑑−𝑛)
𝑑
⟺𝑟 >𝑑
𝑑−𝑛log2 2𝜎 − 𝑑 log2 𝑐𝐿𝐿𝐿 ⋯ (#)
We estimated that the key recovery attack with LLL + Babai nearest planesucceeds if and only if
where 𝑟:= log2 𝑞 .
e.g., when 𝑛, 𝑑, 𝜎 = (200, 505, 8 / 2𝜋),the attack with LLL (resp. bKZ-20) succeeds for 𝑟 > 32 (resp. 𝑟 > 22).
0
10
20
30
40
50
60
70
80
100 150 200 250 300 350 400 450 500
Bit
-siz
e o
f m
od
ulu
s p
aram
eter
Security parameter
Laine-Lauter's experimental data on a successful range by LLL
Our estimation for LLL (c_LLL=0.9775)
Our estimation for BKZ-20 (c_BKZ20=0.9863)
Example parameters by Lindner-Peikert
Solvable by LLL+Babai’snearest method
Unsolvable by LLL+Babai’snearest method
Solvable by BKZ-20+Babai’s nearest method
Unsolvable by BKZ-20+Babai’s nearest method
toy low highmedium
(same as AES-128)
𝑟
𝑛
3-7. Boundary of successful range
Our estimation allows one to investigate which the parameters (𝑛, 𝑞, 𝑑, 𝜎) for search-LWE are solvable by the attack. (Note that our estimation coincides with Laine-Lauter’s experimental data on the attack ageinst their concrete LWE-samples)
Contents
1. Introduction
2. Overview of Key Recovery Attack
3. Our analysis on Key Recovery Attack
4. Conclusion
Conclusion
• The key recovery attack is a lattice-based attack against the LWE problem,
which is one of computational-hard problems for constructing more secure
cryptosystems.
• The success of the key recovery attack for search-LWE deeply depends on the
quality of the reduced basis for the 𝑞-ary lattice constructed from LWE samples.
• By our estimation and explicit inequality, one can investigate which the
parameters (𝑛, 𝑞, 𝑑, 𝜎) for search-LWE are solvable by the attack with
LLL (or bKZ-20) + Babai nearest plane algorithm.
