diff --git a/docs/algorithms/lwe-dual.rst b/docs/algorithms/lwe-dual.rst index c67a304a..ffc10a02 100644 --- a/docs/algorithms/lwe-dual.rst +++ b/docs/algorithms/lwe-dual.rst @@ -18,7 +18,7 @@ We can improve these results by considering a dual hybrid attack as in [EC:Albre dual_hybrid(params) -Further improvements are possible using a meet-in-the-middle approach [EPRINT:CHHS19]_:: +Further improvements are possible using a meet-in-the-middle approach [IEEE:CHHS19]_:: dual_hybrid(params, mitm_optimization=True) diff --git a/docs/references.rst b/docs/references.rst index 8ff7f1ec..3f025a42 100644 --- a/docs/references.rst +++ b/docs/references.rst @@ -15,17 +15,16 @@ References .. [C:HowgraveGraham07] Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In A. Menezes, CRYPTO 2007 (pp. 150–169). : Springer, Heidelberg. .. [C:KirFou15] Paul Kirchner & Pierre-Alain Fouque. An improved BKW algorithm for LWE with applications to cryptography and lattices. In R. Gennaro, & M. J. B. Robshaw, CRYPTO 2015, Part~I (pp. 43–62). : Springer, Heidelberg. .. [CheNgu12] Yuanmi Chen and Phong Q. Nguyen. BKZ 2.0: Better lattice security estimates (Full Version). 2012. http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf +.. [DCC:LaaMosPol15] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. In Designs, COdes and Cryptography 2015 (pp. 375-400). https://doi.org/10.1007/s10623-015-0067-5 .. [Dilithium21] Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-DILITHIUM. 2021 https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf .. [EC:Albrecht17] Albrecht, M. R. (2017). On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In J. Coron, & J. B. Nielsen, EUROCRYPT 2017, Part II (pp. 103–129). : Springer, Heidelberg. .. [EC:Ducas18] Léo Ducas (2018). Shortest vector from lattice sieving: A few dimensions for free. In J. B. Nielsen, & V. Rijmen, EUROCRYPT 2018, Part I (pp. 125–145). : Springer, Heidelberg. .. [EC:GamNgu08] Gama, N., Nguyen, P.Q. (2008). Predicting Lattice Reduction. In: Smart, N. (eds) Advances in Cryptology – EUROCRYPT 2008. EUROCRYPT 2008. Lecture Notes in Computer Science, vol 4965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78967-3_3 .. [EC:KirFou17] Kirchner, P., Fouque, PA. (2017). Revisiting Lattice Attacks on Overstretched NTRU Parameters. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_1 -.. [EPRINT:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://ia.cr/2019/1114pri -.. [EPRINT:LaaMosPol14] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. Cryptology ePrint Archive, Report 2014/907, 2014. https://eprint.iacr.org/2014/907. -.. [EPRINT:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019. -.. [EPRINT:Wun16] Wunderer, T. (2016). Revisiting the hybrid attack: improved analysis and refined security estimates. https://eprint.iacr.org/2016/733 +.. [IEEE:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://doi.org/10.1109/ACCESS.2019.2925425 .. [INDOCRYPT:EspJouKha20] Espitau, T., Joux, A. and Kharchenko, N., 2020, December. On a dual/hybrid approach to small secret LWE. In International Conference on Cryptology in India (pp. 440-462). Springer, Cham. https://ia.cr/2020/515 .. [JMC:AlbPlaSco15] Albrecht, M. R., Player, R., & Scott, S. (2015). On the concrete hardness of Learning with Errors. Journal of Mathematical Cryptology, 9(3), 169–203. +.. [JMC:Wunderer19] Wunderer, T. (2019). A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. Journal of Mathematical Cryptology, 13(1), 1-26. https://doi.org/10.1515/jmc-2016-0044 .. [Kyber17] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2017 .. [Kyber20] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2020 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf .. [MATZOV22] MATZOV. Report on the Security of LWE: Improved Dual Lattice Attack. https://zenodo.org/record/6412487 2003 @@ -36,5 +35,6 @@ References .. [RSA:LiuNgu13] Liu, M., & Nguyen, P. Q.. Solving BDD by enumeration: an update. In E. Dawson, CT-RSA 2013 (pp. 293–309). : Springer, Heidelberg. .. [SAC:AlbCurWun19] Albrecht, M. R., Curtis, B. R., & Wunderer, T.. Exploring trade-offs in batch bounded distance decoding. In K. G. Paterson, & D. Stebila, SAC 2019 (pp. 467–491). : Springer, Heidelberg. .. [SODA:BDGL16] Becker, A., Ducas, L., Gama, N., & Laarhoven, T. (2016). New directions in nearest neighbor searching with applications to lattice sieving. In SODA 2016, (pp. 10–24). -.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156.doi:10.1007/3-540-36494-3_14. url: http://dx.doi.org/10.1007/3-540-36494-3_14. +.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156. https://dx.doi.org/10.1007/3-540-36494-3_14 .. [USENIX:ADPS16] Edem Alkim, Léo Ducas, Thomas Pöppelmann, & Peter Schwabe (2016). Post-quantum key exchange - A New Hope. In T. Holz, & S. Savage, 25th USENIX Security Symposium, USENIX Security 16 (pp. 327–343). USENIX Association. +.. [WAHC:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019. https://doi.org/10.1145/3338469.3358941 diff --git a/docs/schemes/hes.rst b/docs/schemes/hes.rst index 1b48358c..e9b97b28 100644 --- a/docs/schemes/hes.rst +++ b/docs/schemes/hes.rst @@ -17,7 +17,7 @@ Homomorphic Encryption Parameters >>> HESv111024128ternary LWEParameters(n=1024, q=134217728, Xs=D(σ=0.82), Xe=D(σ=3.00), m=1024, tag='HESv11ternary') >>> LWE.primal_hybrid(HESv111024128ternary) - rop: ≈2^182.5, red: ≈2^181.7, svp: ≈2^181.4, β: 345, η: 2, ζ: 134, |S|: ≈2^212.4, d: 1915, prob: ≈2^-51.2, ↻: ≈2^53.4, tag: hybrid + rop: ≈2^184.3, red: ≈2^183.4, svp: ≈2^183.1, β: 345, η: 2, ζ: 134, |S|: ≈2^212.4, d: 1915, prob: ≈2^-52.9, ↻: ≈2^55.1, tag: hybrid :: diff --git a/estimator/lwe_dual.py b/estimator/lwe_dual.py index 18071fea..44a8a3f2 100644 --- a/estimator/lwe_dual.py +++ b/estimator/lwe_dual.py @@ -364,7 +364,7 @@ def __call__( - When ζ > 1 and ``solver`` is ``exhaustive_search`` this function estimates the hybrid attack as given in [INDOCRYPT:EspJouKha20]_ - When ζ > 1 and ``solver`` is ``mitm`` this function estimates the dual MITM - hybrid attack roughly following [EPRINT:CHHS19]_ + hybrid attack roughly following [IEEE:CHHS19]_ EXAMPLES:: diff --git a/estimator/lwe_primal.py b/estimator/lwe_primal.py index 6f38b242..80fed537 100644 --- a/estimator/lwe_primal.py +++ b/estimator/lwe_primal.py @@ -420,7 +420,7 @@ def ssf(x): if mitm and zeta > 0: if babai: - probability *= mitm_babai_probability(r, params.Xe.stddev, params.q) + probability *= mitm_babai_probability(r, params.Xe.stddev) else: # TODO: the probability in this case needs to be analysed probability *= 1 diff --git a/estimator/ntru.py b/estimator/ntru.py index b4bbb5de..11b1973c 100644 --- a/estimator/ntru.py +++ b/estimator/ntru.py @@ -117,7 +117,7 @@ def __call__( usvp :: rop: ≈2^162.1, red: ≈2^162.1, δ: 1.003557, β: 470, d: 1317, tag: usvp bdd :: rop: ≈2^158.7, red: ≈2^157.7, svp: ≈2^157.7, β: 454, η: 489, d: 1306, tag: bdd bdd_hybrid :: rop: ≈2^158.7, red: ≈2^157.7, svp: ≈2^157.7, β: 454, η: 489, ζ: 0, |S|: 1, d: ... - bdd_mitm_hybrid :: rop: ≈2^233.0, red: ≈2^232.1, svp: ≈2^232.0, β: 469, η: 2, ζ: 178, |S|: ... + bdd_mitm_hybrid :: rop: ≈2^235.7, red: ≈2^234.8, svp: ≈2^234.6, β: 469, η: 2, ζ: 178, |S|: ... >>> params = NTRU.Parameters(n=113, q=512, Xs=ND.UniformMod(3), Xe=ND.UniformMod(3)) >>> _ = NTRU.estimate(params, catch_exceptions=False) @@ -125,7 +125,7 @@ def __call__( dsd :: rop: ≈2^37.9, red: ≈2^37.9, δ: 1.013310, β: 31, d: 226, tag: dsd bdd :: rop: ≈2^42.4, red: ≈2^41.0, svp: ≈2^41.8, β: 41, η: 70, d: 225, tag: bdd bdd_hybrid :: rop: ≈2^42.4, red: ≈2^41.0, svp: ≈2^41.8, β: 41, η: 70, ζ: 0, |S|: 1, d: 226, ... - bdd_mitm_hybrid :: rop: ≈2^55.6, red: ≈2^54.7, svp: ≈2^54.6, β: 41, η: 2, ζ: 32, |S|: ≈2^50.7, ... + bdd_mitm_hybrid :: rop: ≈2^55.8, red: ≈2^54.9, svp: ≈2^54.7, β: 41, η: 2, ζ: 32, |S|: ≈2^50.7, ... """ params = params.normalize() diff --git a/estimator/prob.py b/estimator/prob.py index 345cff87..70565619 100644 --- a/estimator/prob.py +++ b/estimator/prob.py @@ -1,7 +1,6 @@ # -*- coding: utf-8 -*- from sage.all import binomial, ZZ, log, ceil, RealField, oo, exp, pi from sage.all import RealDistribution, RR, sqrt, prod, erf -from .nd import sigmaf from .conf import max_n_cache @@ -78,40 +77,31 @@ def gaussian_cdf(mu, sigma, t): return RR((1/2)*(1 + erf((t - mu)/(sqrt(2)*sigma)))) -def mitm_babai_probability(r, stddev, q, fast=False): +def mitm_babai_probability(r, stddev, fast=False): """ Compute the "e-admissibility" probability associated to the mitm step, according to - [EPRINT:SonChe19]_ + [WAHC:SonChe19]_ :params r: the squared GSO lengths :params stddev: the std.dev of the error distribution - :params q: the LWE modulus :param fast: toggle for setting p = 1 (faster, but underestimates security) :return: probability for the mitm process - - # NOTE: the model sometimes outputs negative probabilities, we set p = 0 in this case """ - if fast: # overestimate the probability -> underestimate security return 1 - # get non-squared norms - alphaq = sigmaf(stddev) - probs = ( - RR( - erf(s * sqrt(RR(pi)) / alphaq) - + (alphaq / s) * ((exp(-s * sqrt(RR(pi)) / alphaq) - 1) / RR(pi)) - ) - for s in map(sqrt, r) - ) - p = RR(prod(probs)) - return p if 0 <= p <= 1 else 0.0 + # Note: `r` contains *square norms*, so convert to non-square norms. + # Follow the proof of Lemma 4.2 [WAHC:SonChe19]_, because that one uses standard deviation. + xs = [sqrt(.5 * ri) / stddev for ri in r] + p = prod(RR(erf(x) - (1 - exp(-x**2)) / (x * sqrt(pi))) for x in xs) + assert 0.0 <= p <= 1.0 + return p def babai(r, norm): """ - Babai probability following [EPRINT:Wun16]_. + Babai probability following [JMC:Wunderer19]_. """ denom = float(2 * norm) ** 2 diff --git a/estimator/reduction.py b/estimator/reduction.py index d49a83bd..929cc4e6 100644 --- a/estimator/reduction.py +++ b/estimator/reduction.py @@ -480,7 +480,7 @@ class LaaMosPol14(ReductionCost): def __call__(self, beta, d, B=None): """ - Runtime estimation for quantum sieving following [EPRINT:LaaMosPol14]_ and [PhD:Laarhoven15]_. + Runtime estimation for quantum sieving following [DCC:LaaMosPol15]_ and [PhD:Laarhoven15]_. :param beta: Block size ≥ 2. :param d: Lattice dimension.