Skip to content

Commit

Permalink
Merge pull request malb#131 from ludopulles/main
Browse files Browse the repository at this point in the history
Fix MitM Babai e-admissability computation
  • Loading branch information
malb authored Oct 17, 2024
2 parents f04e783 + f4a2f21 commit baf9382
Show file tree
Hide file tree
Showing 8 changed files with 21 additions and 31 deletions.
2 changes: 1 addition & 1 deletion docs/algorithms/lwe-dual.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ We can improve these results by considering a dual hybrid attack as in [EC:Albre

dual_hybrid(params)

Further improvements are possible using a meet-in-the-middle approach [EPRINT:CHHS19]_::
Further improvements are possible using a meet-in-the-middle approach [IEEE:CHHS19]_::

dual_hybrid(params, mitm_optimization=True)

Expand Down
10 changes: 5 additions & 5 deletions docs/references.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,17 +15,16 @@ References
.. [C:HowgraveGraham07] Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In A. Menezes, CRYPTO 2007 (pp. 150–169). : Springer, Heidelberg.
.. [C:KirFou15] Paul Kirchner & Pierre-Alain Fouque. An improved BKW algorithm for LWE with applications to cryptography and lattices. In R. Gennaro, & M. J. B. Robshaw, CRYPTO 2015, Part~I (pp. 43–62). : Springer, Heidelberg.
.. [CheNgu12] Yuanmi Chen and Phong Q. Nguyen. BKZ 2.0: Better lattice security estimates (Full Version). 2012. http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf
.. [DCC:LaaMosPol15] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. In Designs, COdes and Cryptography 2015 (pp. 375-400). https://doi.org/10.1007/s10623-015-0067-5
.. [Dilithium21] Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-DILITHIUM. 2021 https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
.. [EC:Albrecht17] Albrecht, M. R. (2017). On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In J. Coron, & J. B. Nielsen, EUROCRYPT 2017, Part II (pp. 103–129). : Springer, Heidelberg.
.. [EC:Ducas18] Léo Ducas (2018). Shortest vector from lattice sieving: A few dimensions for free. In J. B. Nielsen, & V. Rijmen, EUROCRYPT 2018, Part I (pp. 125–145). : Springer, Heidelberg.
.. [EC:GamNgu08] Gama, N., Nguyen, P.Q. (2008). Predicting Lattice Reduction. In: Smart, N. (eds) Advances in Cryptology – EUROCRYPT 2008. EUROCRYPT 2008. Lecture Notes in Computer Science, vol 4965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78967-3_3
.. [EC:KirFou17] Kirchner, P., Fouque, PA. (2017). Revisiting Lattice Attacks on Overstretched NTRU Parameters. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_1
.. [EPRINT:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://ia.cr/2019/1114pri
.. [EPRINT:LaaMosPol14] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. Cryptology ePrint Archive, Report 2014/907, 2014. https://eprint.iacr.org/2014/907.
.. [EPRINT:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019.
.. [EPRINT:Wun16] Wunderer, T. (2016). Revisiting the hybrid attack: improved analysis and refined security estimates. https://eprint.iacr.org/2016/733
.. [IEEE:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://doi.org/10.1109/ACCESS.2019.2925425
.. [INDOCRYPT:EspJouKha20] Espitau, T., Joux, A. and Kharchenko, N., 2020, December. On a dual/hybrid approach to small secret LWE. In International Conference on Cryptology in India (pp. 440-462). Springer, Cham. https://ia.cr/2020/515
.. [JMC:AlbPlaSco15] Albrecht, M. R., Player, R., & Scott, S. (2015). On the concrete hardness of Learning with Errors. Journal of Mathematical Cryptology, 9(3), 169–203.
.. [JMC:Wunderer19] Wunderer, T. (2019). A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. Journal of Mathematical Cryptology, 13(1), 1-26. https://doi.org/10.1515/jmc-2016-0044
.. [Kyber17] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2017
.. [Kyber20] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2020 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf
.. [MATZOV22] MATZOV. Report on the Security of LWE: Improved Dual Lattice Attack. https://zenodo.org/record/6412487 2003
Expand All @@ -36,5 +35,6 @@ References
.. [RSA:LiuNgu13] Liu, M., & Nguyen, P. Q.. Solving BDD by enumeration: an update. In E. Dawson, CT-RSA 2013 (pp. 293–309). : Springer, Heidelberg.
.. [SAC:AlbCurWun19] Albrecht, M. R., Curtis, B. R., & Wunderer, T.. Exploring trade-offs in batch bounded distance decoding. In K. G. Paterson, & D. Stebila, SAC 2019 (pp. 467–491). : Springer, Heidelberg.
.. [SODA:BDGL16] Becker, A., Ducas, L., Gama, N., & Laarhoven, T. (2016). New directions in nearest neighbor searching with applications to lattice sieving. In SODA 2016, (pp. 10–24).
.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156.doi:10.1007/3-540-36494-3_14. url: http://dx.doi.org/10.1007/3-540-36494-3_14.
.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156. https://dx.doi.org/10.1007/3-540-36494-3_14
.. [USENIX:ADPS16] Edem Alkim, Léo Ducas, Thomas Pöppelmann, & Peter Schwabe (2016). Post-quantum key exchange - A New Hope. In T. Holz, & S. Savage, 25th USENIX Security Symposium, USENIX Security 16 (pp. 327–343). USENIX Association.
.. [WAHC:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019. https://doi.org/10.1145/3338469.3358941
2 changes: 1 addition & 1 deletion docs/schemes/hes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Homomorphic Encryption Parameters
>>> HESv111024128ternary
LWEParameters(n=1024, q=134217728, Xs=D(σ=0.82), Xe=D(σ=3.00), m=1024, tag='HESv11ternary')
>>> LWE.primal_hybrid(HESv111024128ternary)
rop: ≈2^182.5, red: ≈2^181.7, svp: ≈2^181.4, β: 345, η: 2, ζ: 134, |S|: ≈2^212.4, d: 1915, prob: ≈2^-51.2, ↻: ≈2^53.4, tag: hybrid
rop: ≈2^184.3, red: ≈2^183.4, svp: ≈2^183.1, β: 345, η: 2, ζ: 134, |S|: ≈2^212.4, d: 1915, prob: ≈2^-52.9, ↻: ≈2^55.1, tag: hybrid
::

Expand Down
2 changes: 1 addition & 1 deletion estimator/lwe_dual.py
Original file line number Diff line number Diff line change
Expand Up @@ -364,7 +364,7 @@ def __call__(
- When ζ > 1 and ``solver`` is ``exhaustive_search`` this function estimates
the hybrid attack as given in [INDOCRYPT:EspJouKha20]_
- When ζ > 1 and ``solver`` is ``mitm`` this function estimates the dual MITM
hybrid attack roughly following [EPRINT:CHHS19]_
hybrid attack roughly following [IEEE:CHHS19]_
EXAMPLES::
Expand Down
2 changes: 1 addition & 1 deletion estimator/lwe_primal.py
Original file line number Diff line number Diff line change
Expand Up @@ -420,7 +420,7 @@ def ssf(x):

if mitm and zeta > 0:
if babai:
probability *= mitm_babai_probability(r, params.Xe.stddev, params.q)
probability *= mitm_babai_probability(r, params.Xe.stddev)
else:
# TODO: the probability in this case needs to be analysed
probability *= 1
Expand Down
4 changes: 2 additions & 2 deletions estimator/ntru.py
Original file line number Diff line number Diff line change
Expand Up @@ -117,15 +117,15 @@ def __call__(
usvp :: rop: ≈2^162.1, red: ≈2^162.1, δ: 1.003557, β: 470, d: 1317, tag: usvp
bdd :: rop: ≈2^158.7, red: ≈2^157.7, svp: ≈2^157.7, β: 454, η: 489, d: 1306, tag: bdd
bdd_hybrid :: rop: ≈2^158.7, red: ≈2^157.7, svp: ≈2^157.7, β: 454, η: 489, ζ: 0, |S|: 1, d: ...
bdd_mitm_hybrid :: rop: ≈2^233.0, red: ≈2^232.1, svp: ≈2^232.0, β: 469, η: 2, ζ: 178, |S|: ...
bdd_mitm_hybrid :: rop: ≈2^235.7, red: ≈2^234.8, svp: ≈2^234.6, β: 469, η: 2, ζ: 178, |S|: ...
>>> params = NTRU.Parameters(n=113, q=512, Xs=ND.UniformMod(3), Xe=ND.UniformMod(3))
>>> _ = NTRU.estimate(params, catch_exceptions=False)
usvp :: rop: ≈2^46.0, red: ≈2^46.0, δ: 1.011516, β: 59, d: 221, tag: usvp
dsd :: rop: ≈2^37.9, red: ≈2^37.9, δ: 1.013310, β: 31, d: 226, tag: dsd
bdd :: rop: ≈2^42.4, red: ≈2^41.0, svp: ≈2^41.8, β: 41, η: 70, d: 225, tag: bdd
bdd_hybrid :: rop: ≈2^42.4, red: ≈2^41.0, svp: ≈2^41.8, β: 41, η: 70, ζ: 0, |S|: 1, d: 226, ...
bdd_mitm_hybrid :: rop: ≈2^55.6, red: ≈2^54.7, svp: ≈2^54.6, β: 41, η: 2, ζ: 32, |S|: ≈2^50.7, ...
bdd_mitm_hybrid :: rop: ≈2^55.8, red: ≈2^54.9, svp: ≈2^54.7, β: 41, η: 2, ζ: 32, |S|: ≈2^50.7, ...
"""
params = params.normalize()

Expand Down
28 changes: 9 additions & 19 deletions estimator/prob.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
# -*- coding: utf-8 -*-
from sage.all import binomial, ZZ, log, ceil, RealField, oo, exp, pi
from sage.all import RealDistribution, RR, sqrt, prod, erf
from .nd import sigmaf
from .conf import max_n_cache


Expand Down Expand Up @@ -78,40 +77,31 @@ def gaussian_cdf(mu, sigma, t):
return RR((1/2)*(1 + erf((t - mu)/(sqrt(2)*sigma))))


def mitm_babai_probability(r, stddev, q, fast=False):
def mitm_babai_probability(r, stddev, fast=False):
"""
Compute the "e-admissibility" probability associated to the mitm step, according to
[EPRINT:SonChe19]_
[WAHC:SonChe19]_
:params r: the squared GSO lengths
:params stddev: the std.dev of the error distribution
:params q: the LWE modulus
:param fast: toggle for setting p = 1 (faster, but underestimates security)
:return: probability for the mitm process
# NOTE: the model sometimes outputs negative probabilities, we set p = 0 in this case
"""

if fast:
# overestimate the probability -> underestimate security
return 1

# get non-squared norms
alphaq = sigmaf(stddev)
probs = (
RR(
erf(s * sqrt(RR(pi)) / alphaq)
+ (alphaq / s) * ((exp(-s * sqrt(RR(pi)) / alphaq) - 1) / RR(pi))
)
for s in map(sqrt, r)
)
p = RR(prod(probs))
return p if 0 <= p <= 1 else 0.0
# Note: `r` contains *square norms*, so convert to non-square norms.
# Follow the proof of Lemma 4.2 [WAHC:SonChe19]_, because that one uses standard deviation.
xs = [sqrt(.5 * ri) / stddev for ri in r]
p = prod(RR(erf(x) - (1 - exp(-x**2)) / (x * sqrt(pi))) for x in xs)
assert 0.0 <= p <= 1.0
return p


def babai(r, norm):
"""
Babai probability following [EPRINT:Wun16]_.
Babai probability following [JMC:Wunderer19]_.
"""
denom = float(2 * norm) ** 2
Expand Down
2 changes: 1 addition & 1 deletion estimator/reduction.py
Original file line number Diff line number Diff line change
Expand Up @@ -480,7 +480,7 @@ class LaaMosPol14(ReductionCost):

def __call__(self, beta, d, B=None):
"""
Runtime estimation for quantum sieving following [EPRINT:LaaMosPol14]_ and [PhD:Laarhoven15]_.
Runtime estimation for quantum sieving following [DCC:LaaMosPol15]_ and [PhD:Laarhoven15]_.
:param beta: Block size ≥ 2.
:param d: Lattice dimension.
Expand Down

0 comments on commit baf9382

Please sign in to comment.