A Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE

Göpfert, Florian; Vredendaal, Christine van; Wunderer, Thomas

doi:10.1007/978-3-319-59879-6_11

Cited by 34 publications

(19 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The BRLWE-based encryption scheme is based on the average-case hardness of the BRLWE problem [22]. The work of [32] showed that this scheme achieves 73-bits and 140-bits quantum security for the parameters of (n, q) = (256, 256) and (n, q) = (512, 256), respectively, which fits well typical lightweight applications.…”

Section: B Inverted Binary Ring-lwe (Invbrlwe)mentioning

confidence: 77%

Efficient Hardware Arithmetic for Inverted Binary Ring-LWE Based Post-Quantum Cryptography

Imaña

Bao

et al. 2022

IEEE Trans. Circuits Syst. I

View full text Add to dashboard Cite

Ring learning-with-errors (RLWE)-based encryption scheme is a lattice-based cryptographic algorithm that constitutes one of the most promising candidates for Post-Quantum Cryptography (PQC) standardization due to its efficient implementation and low computational complexity. Binary Ring-LWE (BRLWE) is a new optimized variant of RLWE, which achieves smaller computational complexity and higher efficient hardware implementations. In this paper, two efficient architectures based on Linear-Feedback Shift Register (LFSR) for the arithmetic used in Inverted Binary Ring-LWE (InvBRLWE)-based encryption scheme are presented, namely the operation of A • B + C over the polynomial ring Z q /(x n + 1). The first architecture optimizes the resource usage for major computation and has a novel input processing setup to speed up the overall processing latency with minimized input loading cycles. The second architecture deploys an innovative serial-in serial-out processing format to reduce the involved area usage further yet maintains a regular input loading time-complexity. Experimental results show that the architectures presented here improve the complexities obtained by competing schemes found in the literature, e.g., involving 71.23% less areadelay product than recent designs. Both architectures are highly efficient in terms of area-time complexities and can be extended for deploying in different lightweight application environments.

show abstract

Section: B Inverted Binary Ring-lwe (Invbrlwe)mentioning

confidence: 77%

Efficient Hardware Arithmetic for Inverted Binary Ring-LWE Based Post-Quantum Cryptography

Imaña

Bao

et al. 2022

IEEE Trans. Circuits Syst. I

View full text Add to dashboard Cite

show abstract

“…chosen the same parameter settings according to the existing designs of [23], [24], [29]- [31], i.e., (n, q) = (256, 256) and (n, q) = (512, 256) ( q = 8), which correspond to the quantum/classic security of 73/84-bits and 140/190-bits, respectively [20]; (iv) for a fair and practical comparison, we set the input/output of the proposed accelerator as serialin/serial-out format; (v) the proposed accelerator also includes the third and fourth polynomials Z and W for operations of both encryption and decryption phases as well as related resources; (vi) for a more general demonstration, we do not use the other available resources on the FPGA devices such as the block RAM (BRAM), etc. ; (vii) we have chosen u = 1, u = 2, u = 4, u = 8, and u = 16 for the proposed KINA, respectively, to showcase the high-speed operational performance under different processing setups; (viii) the obtained area-time complexities, in terms of the number of Lookup table (LUT), maximum frequency (Fmax, MHz), latency cycles, delay (critical-path×latency cycles), area-delay product (ADP), and throughput are all listed in Table II along with those of [23], [24], [29]- [31].…”

Section: B Fpga Implementation Results and Comparisonmentioning

confidence: 99%

“…Important parameters for the RBLWE-based PQC scheme are: (i) n refers to the scheme-size (security level); (ii) the bit-length of the coefficients in the integer polynomials is log 2 q (which is also the bit-width of the adder); (iii) n 2 = uv, where u and v are integers. The recent works have suggested to use parameter sets of (n, q) = (256, 256) and (n, q) = (512, 256) for RBLWE-based scheme, which also achieves quantum security of 73-bits and 140-bits, respectively [20], [39]. In this case, we have log 2 q = log 2 256 = 8.…”

Section: Kina: Proposed Rblwe-based Pqc Acceleratormentioning

confidence: 99%

KINA: Karatsuba Initiated Novel Accelerator for Ring-Binary-LWE (RBLWE)-based Post-Quantum Cryptography

He¹,

Tu²,

Xie³

et al. 2022

Preprint

View full text Add to dashboard Cite

<p>Along with the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standardization process, lightweight PQC-related research and development have also gained substantial attention from the research community recently. Ring-Binary-Learning-with-Errors (RBLWE), a lightweight variant of Ring-LWE, which uses binary errors to replace the regular Gaussian distributed errors to achieve smaller complexity, has great potential to built such lightweight PQC scheme for emerging Internet-of-Things (IoT) and edge computing applications.The parameter settings of the RBLWE-based encryption scheme, however, are much smaller than the typical Ring-LWE one and then how to reduce its computational complexity becomes an interesting research topic.Following this direction, in this paper, we propose a Karatsuba Initiated Novel Accelerator (KINA) for efficient implementation of RBLWE-based PQC. Overall, we have made several coherent interdependent stages of efforts to carry out the proposed work: (i) we have presented the mathematical derivation process to propose a new Karatsuba Algorithm (KA)-based polynomial multiplication, the main algorithmic operation of the RBLWE-based scheme; (ii) we have then effectively mapped the proposed algorithm into a desired hardware accelerator with the help of a number of optimization techniques; (iv) we have also provided detailed complexity analysis and implementation comparison to demonstrate the superior performance of the proposed RBLWE-based PQC accelerator. Overall, the proposed RBLWE-based PQC accelerator involves two unique features: (i) this is the first report about Karatsuba initiated RBLWE-based PQC accelerator; (ii) the proposed RBLWE-based PQC accelerator offers flexible processing speed and can be fit in various high-performance applications. The proposed KINA is highly efficient and has the potential to be included in the implementation recommendation choices for RBLWE-based scheme deploying in lightweight applications.</p>

show abstract

“…Moreover, he gave a method to construct lattice bases for trinary NTRU and various cases to be used in the hybrid attack. A quantum version of the hybrid attack was proposed in [11], where the MitM part is sped up by using a generalization of Grover's quantum search algorithm. However, the hybrid attack seems not considered or just roughly referred among most candidates of the NIST Post Quantum Cryptography (PQC) standardization project.…”

Section: Related Workmentioning

confidence: 99%

Cryptanalysis of GiophantusTM Schemes against Hybrid Attack

Wang

Ikematsu

Akiyama

et al. 2020

Proceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography

View full text Add to dashboard Cite

The hybrid attack was proposed by Howgrave-Graham in CRYPTO2007, which was originally designed for the cryptanalysis of NTRU cryptosystems. In this paper, based on Howgrave-Graham's attack model, we propose a simulator of hybrid attack to evaluate the hardness of the unique shortest vector problem. By a dynamical computation, our algorithm can trade off the cost between reduction and MitM, while both of them run in exponential time. Further, we adapt our simulator to Giophantus.., Giophantus + and Giophantus − cryptosystems, proposed by Akiyama et al. in SAC2017, SCIS2019 and SCIS2020, respectively. Our analysis shows that by the hybrid attack, the security levels can be reduced by at most 19 bits for Giophantus' parameters proposed in NIST Post Quantum Cryptography (PQC) standardization 1st round submission. Meanwhile, the parameter sets of Giophantus + and Giophantus − are secure against the hybrid attack. CCS CONCEPTS • Security and privacy → Cryptanalysis and other attacks.

show abstract

A Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE

Cited by 34 publications

References 28 publications

Efficient Hardware Arithmetic for Inverted Binary Ring-LWE Based Post-Quantum Cryptography

Efficient Hardware Arithmetic for Inverted Binary Ring-LWE Based Post-Quantum Cryptography

KINA: Karatsuba Initiated Novel Accelerator for Ring-Binary-LWE (RBLWE)-based Post-Quantum Cryptography

Cryptanalysis of GiophantusTM Schemes against Hybrid Attack

Contact Info

Product

Resources

About