A Refined Analysis of the Cost for Solving LWE via uSVP

Bai, Shi; Miller, Shaun; Wen, Weiqiang

doi:10.1007/978-3-030-23696-0_10

Cited by 14 publications

(4 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…namely, c = σ χ according to the arithmetic-geometric mean inequality. Some prior works [3,5] instead chose c = 1. While this is benign since σ χ is typically not too far from 1, it remains a sub-optimal choice.…”

Section: Embedding Lwe Into Dbddmentioning

confidence: 99%

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We propose a framework for cryptanalysis of lattice-based schemes, when side information-in the form of "hints"-about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information. While initially designed for side-channel information, our framework can also be used in other cases: exploiting decryption failures, or simply exploiting constraints imposed by certain schemes (LAC, Round5, NTRU). We implement a Sage 9.0 toolkit to actually mount such attacks with hints when computationally feasible, and to predict their performances on larger instances. We provide several end-to-end application examples, such as an improvement of a single trace attack on Frodo by Bos et al. (SAC 2018). In particular, our work can estimates security loss even given very little side information, leading to a smooth measurement/computation trade-off for side-channel attacks.

show abstract

Section: Embedding Lwe Into Dbddmentioning

confidence: 99%

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…After that, Albrecht, Göpfert, Virdia and Wunderer [161] compared these two estimates and verified experimentally the prediction of [160] when the error vector was sampled coefficient-wise from a discrete Gaussian distribution. In 2019, Bai, Miller and Wen [162] revisited the previous analysis of [160], [161], and provided experiments on estimating the cost of solving LWE via the uSVP suggesting that the 2016 estimate has higher accuracy than the 2008 estimate. In a recent work, Dachman-Soled, Ducas, Gong and Rossi [163] generalized the uSVP attack and proved that the predictions of [160], [161] are not accurate for small block sizes (i.e.…”

Section: B Attacks Based On Bounded Distance Decoding Problemmentioning

confidence: 99%

Survey on Fully Homomorphic Encryption, Theory, and Applications

Marcolla¹,

Sucasas²,

Manzano³

et al. 2023

Preprint

View full text Add to dashboard Cite

This paper comprehensively addresses homomorphic encryption from both theoretical and practical perspectives. The paper delves into the mathematical foundations required to understand fully homomorphic encryption FHE. It consequently covers design fundamentals and security properties of FHE, and describes the main FHE schemes based on various mathematical problems. On a more practical level, the paper presents a view on privacy-preserving Machine Learning using homomorphic encryption, then surveys FHE at length from an engineering angle, covering the potential application of FHE in fog computing, and cloud computing services. It also provides a comprehensive analysis of existing state-of-the-art FHE libraries and tools, implemented in software and hardware, and the performance thereof.

show abstract

“…Concrete running times for actual successful attacks can be found in a few places in the literature, e.g. in [4,8,12,28], and we find those useful for comparison here. In particular, for dimensions n ≤ 200, we chose values of log q strictly smaller than those used in [12]; for dimensions n = 256, 300 and 350, we use much smaller values of log q than [28]: for instance, for n = 350, we use log q = 32, much smaller than the value log q = 52 in [28].…”

Section: Comparison To Existing Attacks On Lwementioning

confidence: 99%

SALSA PICANTE: a machine learning attack on LWE with binary secrets

Li¹,

Sotáková²,

Wenger³

et al. 2023

Preprint

View full text Add to dashboard Cite

The Learning With Errors (LWE) problem is one of the major hard problems in post-quantum cryptography. For example, 1) the only Key Exchange Mechanism KEM standardized by NIST [14] is based on LWE; and 2) current publicly available Homomorphic Encryption (HE) libraries are based on LWE. NIST KEM schemes use random secrets, but homomorphic encryption schemes use binary or ternary secrets, for efficiency reasons. In particular, sparse binary secrets have been proposed, but not standardized [2], for HE.Prior work SALSA [49] demonstrated a new machine learning attack on sparse binary secrets for the LWE problem in small dimensions (up to n = 128) and low Hamming weights (up to h = 4). However, this attack assumed access to millions of LWE samples, and was not scaled to higher Hamming weights or dimensions.Our attack, PICANTE, reduces the number of samples required to just m = 4n samples. Moreover, it can recover secrets with much larger dimensions (up to 350) and Hamming weights (roughly n/10, or h = 33 for n = 300). To achieve this, we introduce a preprocessing step which allows us to generate the training data from a linear number of samples and changes the distribution of the training data to improve transformer training. We also improve the distinguisher/secret recovery methods of SALSA and introduce a novel cross-attention recovery mechanism which allows us to read-off the secret directly from the trained models.

show abstract

A Refined Analysis of the Cost for Solving LWE via uSVP

Cited by 14 publications

References 47 publications

LWE with Side Information: Attacks and Concrete Security Estimation

LWE with Side Information: Attacks and Concrete Security Estimation

Survey on Fully Homomorphic Encryption, Theory, and Applications

SALSA PICANTE: a machine learning attack on LWE with binary secrets

Contact Info

Product

Resources

About