SLIDE 1
29.06.2017 | 1
- F. GΓΆpfert, C. van Vredendaal, Thomas Wunderer
29.06.2017 | 2
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. - - PowerPoint PPT Presentation
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. - - PowerPoint PPT Presentation
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal, Thomas Wunderer 29.06.2017 | 1 Motivation Primal BKW Embedding LWE Hybrid Dual Embedding Make it quantum! Faster More versatile
SLIDE 2
SLIDE 3
29.06.2017 | 3
Background and Notation
SLIDE 4
29.06.2017 | 4
Lattices
π1 π2 π1
β²
π2
β²
(good) basis πͺ (bad) basis πͺβ² π-dimensional lattice Ξ: a discrete additive subgroup of βπ Basis of a lattice Ξ: lin. ind. πͺ = π1, β¦ , ππ such that Ξ = β€π1 + β¦ + β€ππ. Basis reduction
SLIDE 5
29.06.2017 | 5
Shortest Vector Problem (SVP)
Find a shortest non- zero lattice vector
SLIDE 6
29.06.2017 | 6
Closest Vector Problem (CVP)
π π
Given a target vector π Find (short) difference vector π Bounded Distance Decoding (BDD)
SLIDE 7
29.06.2017 | 7
Learning with Errors (LWE)
π© s e . + b =
Given: π© β β€π
πΓπ, π β β€π π
Find: π β β€π
π
mod q
short short
SLIDE 8
29.06.2017 | 8
The (Quantum) Hybrid Attack
- n LWE
SLIDE 9
29.06.2017 | 9
Our approach
We solve the LWE instance π = π©π + π πππ π as follows: 1. Transform LWE into SVP in some lattice Ξ 2. Generate a basis πͺβ² of Ξ of the form πͺβ² = πͺ π« π π±π 3. Solve SVP in Ξ with our Quantum Hybrid Attack
SLIDE 10
29.06.2017 | 10
Transforming LWE into SVP
π = π©π + π πππ π π = π π 1 β Ξ = π β β€π+π+1 βΆ π© π±π β π π = π πππ π
short
SLIDE 11
29.06.2017 | 11
The Quantum Hybrid Attack (Idea)
Setup: Find a shortest non-zero vector π β Ξ πͺβ² β β€π, where πͺβ² = πͺ π« π π±π
π€ = π€1 π€1 π π π€2 β Ξ β Ξ ππ½π πΌ 0π π½π
Quantum-search for π2 β β€π (βGrover-likeβ) Find π1 β β€πβπ with lattice-based techniques:
- Basis reduction as precomputation
- BDD-algorithms (Nearest Plane [Babai86])
SLIDE 12
29.06.2017 | 12
Quantum vs. Classical Hybrid Attack
Quantum Classical Quantum search for π2 Meet-in-the-middle search for π2 + β-speed-up over brute-force + β-speed-up over brute-force + More versitile
- Requires highly structured keys
+ Low memory consumption
- Huge memory consumption
+ No collision-finding probability
- Low collision-finding probability
(might be β 2β90)
SLIDE 13
29.06.2017 | 13
The Attack
SLIDE 14
29.06.2017 | 14
π = ππ ππ = πͺ π« π π±π π ππ = πͺπ + π«ππ ππ
Find ππ approach if ππ is known
π = π«ππ
Lattice π³ = π³ πͺ π = βπͺπ ππ
Solve BDD problem: Given π, find ππ
SLIDE 15
29.06.2017 | 15
Solving BDD: Babaiβs Nearest Plane
πππͺ π π πβ² πππͺ πβ²
π¬( πͺ) Requires sufficiently good basis
SLIDE 16
29.06.2017 | 16
The Algorithm (Simplified Idea)
Loop:
- βQuantum-guessβ π2
β² β π (black box for now)
- Check if guess is correct:
- Calculate π1
β² = πππͺ π«π2 β²
- If π =
π1
β²
π2
β²
is sufficiently short
- Return π
Task: find a shortest non-zero vector in a lattice Ξ Input: a search space π β β€π , a basis πͺβ² = πͺ π« π π±π
SLIDE 17
29.06.2017 | 17
Quantum Search (simplified)
- Let π = π‘1, β¦ , π‘π be a finite search space and πΈ = π1, β¦ , ππ be a
probability distribution on π.
- Let π‘ β π be a secret sampled from πΈ. Task: find it!
- Choose a probability distribution π΅ = π1, β¦ , ππ on π.
- There exists a quantum algorithm (generalization of Groverβs
search algorithm) that finds π‘ in roughly π π΅ = π π1, β¦ , ππ = ππ ππ loops (sampling from π΅ and testing).
SLIDE 18
29.06.2017 | 18
How to choose the distribution A
- Minimize the function π π1, β¦ , ππ = ππ
ππ over all
π1, β¦ , ππ β 0,1 with π1 + β― + ππ = 1.
- Optimization with constraints in π variables (ο Lagrange)
- Optimal distribution a1, β¦ , ππ
with ππ =
ππ
2/3
ππ
2/3
- Minimal number of loops:
ππππ = ππ
2/3 3/2
SLIDE 19
29.06.2017 | 19
Example (New Hope)
Take π = β16, β¦ , 16 200 and πΈ to be the distribution on π given in the βNew Hopeβ key exchange scheme [ADPS16]
- Classical brute-force search:
πππππ‘π‘ππππ β 33200 β 21009
- Groverβs quantum search:
ππ»π ππ€ππ β 33200 β 2504
- Our approach:
πππ£π β 21.85β 200 β 2370
SLIDE 20
29.06.2017 | 20
Results
SLIDE 21
29.06.2017 | 21
Runtime Analysis
Main result: Let all notations be as before and πΈ = π1, β¦ , ππ be the distribution from which π€2 is sampled. Success probability: ππ‘π£ππ β
π=1 πβπ
1 β 2 πΆ π β π β 1 2 , 1 2
β1 max βπ π,β1
1 β π§2 πβπ β3
2
ππ§ where πΆ β ,β denotes the Euler beta function, π
π = ππ 2βπ1β and ππ is the
length of the π-th Gram-Schmidt vector in πͺ. Number of operations if successful: Tβπ§π β
πβπ 2 21.06
ππ
2/3 3/2
SLIDE 22
29.06.2017 | 22
Runtime Analysis
Remarks:
- Tβπ§π depends on the guessing-dimension π and the βqualityβ π
(Hermite factor) of the basis πͺ
- Use precomputation (basis reduction) to change π
- Balance precomputation and actual attack costs:
Tπ’ππ’ππ π , π = Tπ ππ π , π + Tβπ§π π , π ππ‘π£ππ π , π
- Non-trivial optimization process in π and π
- More details: see paper
SLIDE 23
29.06.2017 | 23
Results
- Runtime depends on the cost of basis reduction (BKZ)
- How to model the SVP cost inside BKZ with block size πΎ?
- Two (very) different ways in the literature:
- Enumeration:
T
πππ = 20.27πΎ ln πΎ β1.019πΎ+16.1
- Sieving:
T
πππ = 20.265πΎ+16.4
- Tπ ππ β πππ β #π’ππ£π π‘ β T
πππ
- ο We provide two different runtime estimates
- Compare our results with the LWE estimator (not claimed security levels!)
SLIDE 24
29.06.2017 | 24
Results: New Hope and Frodo
Attack New Hope Frodo-592 Frodo-752 Frodo-864 Dual 1346 446 485 618 Decoding 833
- Qu. Hybrid
725 254 310 377 Attack New Hope Frodo-592 Frodo-752 Frodo-864 Dual 389 173 184 219 Decoding 380
- Qu. Hybrid
384 171 189 221
Table 1: BKZ with enumeration Table 2: BKZ with sieving
SLIDE 25
29.06.2017 | 25
Results: Lindner-Peikert
Figure 1: BKZ with enumeration
SLIDE 26
29.06.2017 | 26
Results: Lindner-Peikert
Figure 1: BKZ with enumeration
SLIDE 27
29.06.2017 | 27
Conclusion
- New improved Quantum Hybrid Attack
- Detailed runtime analysis of the Quantum Hybrid
- New possibilities: apply Quantum Hybrid to non-uniform
search spaces (e.g., LWE with Gaussian distribution)
- Outperforms other attacks in several instances
Thank you! Questions?
SLIDE 28
29.06.2017 | 28
Literature
[HG07] N. Howgrave-Graham. A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack against NTRU. [BGPW16] J. A. Buchmann, F. GΓΆpfert, R. Player, and T. Wunderer. On the Hardness of LWE with Binary Error. [Wun16] T. Wunderer. Revisiting the Hybrid Attack: Improved Analysis and Refined Security Estimates [GvVW16] F. GΓΆpfert, C. van Vredendaal, T. Wunderer. The Quantum Hybrid Attack. [Babai86] L. Babai. On LovΓ‘szβ Lattice Reduction and the Nearest Lattice Point Problem. [Schank15] J. Schanck. Practical Lattice Cryptosystems: NTRUencrypt and NTRUmls. [Grover96] L. K. Grover. A Fast Quantum Mechanical Algorithm for Database Search. [BHMT02] G. Brassard, P. HΓΈyer, M. Mosca, A. Tapp. Quantum Amplitude Amplification and Estimation. [ADPS16] E. Alkim, L. Ducas, T. PΓΆppelmann, P. Schwabe. Post-quantum Key Exchange - A New Hope.