On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack

Buchmann, Johannes; Göpfert, Florian; Player, Rachel; Wunderer, Thomas

doi:10.1007/978-3-319-31517-1_2

Cited by 53 publications

(37 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A theoretical analysis of the hybrid attack was given in [12]. Furthermore, an application of the hybrid attack to binary LWE was analyzed in [8]. About the success probability, theoretical analysis with additional assumption is given in [12] and [8] but lack of experimental verification.…”

Section: Related Workmentioning

confidence: 99%

“…Furthermore, an application of the hybrid attack to binary LWE was analyzed in [8]. About the success probability, theoretical analysis with additional assumption is given in [12] and [8] but lack of experimental verification. In addition, Wunderer [22] pointed out the overestimate of lattice-based cryptosystems derived from the flawed analysis due to roughly simplifying the assumptions in the hybrid attack.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Cryptanalysis of GiophantusTM Schemes against Hybrid Attack

Wang

Ikematsu

Akiyama

et al. 2020

Proceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography

View full text Add to dashboard Cite

The hybrid attack was proposed by Howgrave-Graham in CRYPTO2007, which was originally designed for the cryptanalysis of NTRU cryptosystems. In this paper, based on Howgrave-Graham's attack model, we propose a simulator of hybrid attack to evaluate the hardness of the unique shortest vector problem. By a dynamical computation, our algorithm can trade off the cost between reduction and MitM, while both of them run in exponential time. Further, we adapt our simulator to Giophantus.., Giophantus + and Giophantus − cryptosystems, proposed by Akiyama et al. in SAC2017, SCIS2019 and SCIS2020, respectively. Our analysis shows that by the hybrid attack, the security levels can be reduced by at most 19 bits for Giophantus' parameters proposed in NIST Post Quantum Cryptography (PQC) standardization 1st round submission. Meanwhile, the parameter sets of Giophantus + and Giophantus − are secure against the hybrid attack. CCS CONCEPTS • Security and privacy → Cryptanalysis and other attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Cryptanalysis of GiophantusTM Schemes against Hybrid Attack

Wang

Ikematsu

Akiyama

et al. 2020

Proceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography

View full text Add to dashboard Cite

show abstract

“…Another class of secret key cryptographic schemes that have so far withstood quantum attacks are based on the learning with errors (LWE) problem (see, for example, [4,8,17,19]). It has recently been shown that the hybrid attack applies to LWE with binary error as well [5]. This paper shows that the storage capacity is not as unambiguous as portrayed in [14] and reduced-memory variation of the attack should be taken into account for parameter considerations of NTRU and LWE-based schemes.…”

mentioning

confidence: 92%

Reduced memory meet-in-the-middle attack against the NTRU private key

Vredendaal¹

2016

LMS J. Comput. Math.

View full text Add to dashboard Cite

NTRU is a public-key cryptosystem introduced at ANTS-III. The two most used techniques in attacking the NTRU private key are meet-in-the-middle attacks and lattice-basis reduction attacks. Howgrave-Graham combined both techniques in 2007 and pointed out that the largest obstacle to attacks is the memory capacity that is required for the meet-in-the-middle phase. In the present paper an algorithm is presented that applies low-memory techniques to find 'golden' collisions to Odlyzko's meet-in-the-middle attack against the NTRU private key. Several aspects of NTRU secret keys and the algorithm are analysed. The running time of the algorithm with a maximum storage capacity of w is estimated and experimentally verified. Experiments indicate that decreasing the storage capacity w by a factor 1 < c < √ w increases the running time by a factor √ c.

show abstract

“…On the other hand, we do not have provable security on our particular structure, but neither does NTRU; although NTRU has been researched intensively for quite some time now. Another motivation to follow an alternative path of study from LWE-based cryptosystems (and q-ary lattices) is the recent progress of attacks on such cryptosystems [3,5,13,38,39,41] and the recent talk given by Lyubashevsky at PKC'16 in which he also qualifies LWE-based problems as particular instances of "basic" lattice problems and advised "to understand the underlying knapsack problems" to build practical schemes [47].…”

Section: Introductionmentioning

confidence: 99%

Enhancing Goldreich, Goldwasser and Halevi’s scheme with intersecting lattices

Sipasseuth

Plantard

Susilo

2019

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

We present a technique to enhance the security of the Goldreich, Goldwasser and Halevi (GGH) scheme. The security of GGH has practically been broken by lattice reduction techniques. Those attacks are successful due to the structure of the basis used in the secret key. In this work, we aim to present a new technique to alleviate this problem by modifying the public key which hides the structure of the corresponding private key. We intersect the initial lattice with a random one while keeping the initial lattice as our secret key and use the corresponding result of the intersection as the public key. We show sufficient evidence that this technique will make GGH implementations secure against the aforementioned attacks.

show abstract

On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack

Cited by 53 publications

References 27 publications

Cryptanalysis of GiophantusTM Schemes against Hybrid Attack

Cryptanalysis of GiophantusTM Schemes against Hybrid Attack

Reduced memory meet-in-the-middle attack against the NTRU private key

Enhancing Goldreich, Goldwasser and Halevi’s scheme with intersecting lattices

Contact Info

Product

Resources

About