diff --git a/docs/algorithms/lwe-dual.rst b/docs/algorithms/lwe-dual.rst index c67a304..ffc10a0 100644 --- a/docs/algorithms/lwe-dual.rst +++ b/docs/algorithms/lwe-dual.rst @@ -18,7 +18,7 @@ We can improve these results by considering a dual hybrid attack as in [EC:Albre dual_hybrid(params) -Further improvements are possible using a meet-in-the-middle approach [EPRINT:CHHS19]_:: +Further improvements are possible using a meet-in-the-middle approach [IEEE:CHHS19]_:: dual_hybrid(params, mitm_optimization=True) diff --git a/docs/references.rst b/docs/references.rst index 8ff7f1e..3f025a4 100644 --- a/docs/references.rst +++ b/docs/references.rst @@ -15,17 +15,16 @@ References .. [C:HowgraveGraham07] Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In A. Menezes, CRYPTO 2007 (pp. 150–169). : Springer, Heidelberg. .. [C:KirFou15] Paul Kirchner & Pierre-Alain Fouque. An improved BKW algorithm for LWE with applications to cryptography and lattices. In R. Gennaro, & M. J. B. Robshaw, CRYPTO 2015, Part~I (pp. 43–62). : Springer, Heidelberg. .. [CheNgu12] Yuanmi Chen and Phong Q. Nguyen. BKZ 2.0: Better lattice security estimates (Full Version). 2012. http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf +.. [DCC:LaaMosPol15] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. In Designs, COdes and Cryptography 2015 (pp. 375-400). https://doi.org/10.1007/s10623-015-0067-5 .. [Dilithium21] Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-DILITHIUM. 2021 https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf .. [EC:Albrecht17] Albrecht, M. R. (2017). On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In J. Coron, & J. B. Nielsen, EUROCRYPT 2017, Part II (pp. 103–129). : Springer, Heidelberg. .. [EC:Ducas18] Léo Ducas (2018). Shortest vector from lattice sieving: A few dimensions for free. In J. B. Nielsen, & V. Rijmen, EUROCRYPT 2018, Part I (pp. 125–145). : Springer, Heidelberg. .. [EC:GamNgu08] Gama, N., Nguyen, P.Q. (2008). Predicting Lattice Reduction. In: Smart, N. (eds) Advances in Cryptology – EUROCRYPT 2008. EUROCRYPT 2008. Lecture Notes in Computer Science, vol 4965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78967-3_3 .. [EC:KirFou17] Kirchner, P., Fouque, PA. (2017). Revisiting Lattice Attacks on Overstretched NTRU Parameters. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_1 -.. [EPRINT:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://ia.cr/2019/1114pri -.. [EPRINT:LaaMosPol14] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. Cryptology ePrint Archive, Report 2014/907, 2014. https://eprint.iacr.org/2014/907. -.. [EPRINT:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019. -.. [EPRINT:Wun16] Wunderer, T. (2016). Revisiting the hybrid attack: improved analysis and refined security estimates. https://eprint.iacr.org/2016/733 +.. [IEEE:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://doi.org/10.1109/ACCESS.2019.2925425 .. [INDOCRYPT:EspJouKha20] Espitau, T., Joux, A. and Kharchenko, N., 2020, December. On a dual/hybrid approach to small secret LWE. In International Conference on Cryptology in India (pp. 440-462). Springer, Cham. https://ia.cr/2020/515 .. [JMC:AlbPlaSco15] Albrecht, M. R., Player, R., & Scott, S. (2015). On the concrete hardness of Learning with Errors. Journal of Mathematical Cryptology, 9(3), 169–203. +.. [JMC:Wunderer19] Wunderer, T. (2019). A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. Journal of Mathematical Cryptology, 13(1), 1-26. https://doi.org/10.1515/jmc-2016-0044 .. [Kyber17] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2017 .. [Kyber20] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2020 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf .. [MATZOV22] MATZOV. Report on the Security of LWE: Improved Dual Lattice Attack. https://zenodo.org/record/6412487 2003 @@ -36,5 +35,6 @@ References .. [RSA:LiuNgu13] Liu, M., & Nguyen, P. Q.. Solving BDD by enumeration: an update. In E. Dawson, CT-RSA 2013 (pp. 293–309). : Springer, Heidelberg. .. [SAC:AlbCurWun19] Albrecht, M. R., Curtis, B. R., & Wunderer, T.. Exploring trade-offs in batch bounded distance decoding. In K. G. Paterson, & D. Stebila, SAC 2019 (pp. 467–491). : Springer, Heidelberg. .. [SODA:BDGL16] Becker, A., Ducas, L., Gama, N., & Laarhoven, T. (2016). New directions in nearest neighbor searching with applications to lattice sieving. In SODA 2016, (pp. 10–24). -.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156.doi:10.1007/3-540-36494-3_14. url: http://dx.doi.org/10.1007/3-540-36494-3_14. +.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156. https://dx.doi.org/10.1007/3-540-36494-3_14 .. [USENIX:ADPS16] Edem Alkim, Léo Ducas, Thomas Pöppelmann, & Peter Schwabe (2016). Post-quantum key exchange - A New Hope. In T. Holz, & S. Savage, 25th USENIX Security Symposium, USENIX Security 16 (pp. 327–343). USENIX Association. +.. [WAHC:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019. https://doi.org/10.1145/3338469.3358941 diff --git a/estimator/lwe_dual.py b/estimator/lwe_dual.py index 18071fe..44a8a3f 100644 --- a/estimator/lwe_dual.py +++ b/estimator/lwe_dual.py @@ -364,7 +364,7 @@ def __call__( - When ζ > 1 and ``solver`` is ``exhaustive_search`` this function estimates the hybrid attack as given in [INDOCRYPT:EspJouKha20]_ - When ζ > 1 and ``solver`` is ``mitm`` this function estimates the dual MITM - hybrid attack roughly following [EPRINT:CHHS19]_ + hybrid attack roughly following [IEEE:CHHS19]_ EXAMPLES:: diff --git a/estimator/prob.py b/estimator/prob.py index 041dd2b..7056561 100644 --- a/estimator/prob.py +++ b/estimator/prob.py @@ -80,7 +80,7 @@ def gaussian_cdf(mu, sigma, t): def mitm_babai_probability(r, stddev, fast=False): """ Compute the "e-admissibility" probability associated to the mitm step, according to - [EPRINT:SonChe19]_ + [WAHC:SonChe19]_ :params r: the squared GSO lengths :params stddev: the std.dev of the error distribution @@ -92,7 +92,7 @@ def mitm_babai_probability(r, stddev, fast=False): return 1 # Note: `r` contains *square norms*, so convert to non-square norms. - # Follow the proof of Lemma 4.2 [EPRINT_SonChe19]_, because that one uses standard deviation. + # Follow the proof of Lemma 4.2 [WAHC:SonChe19]_, because that one uses standard deviation. xs = [sqrt(.5 * ri) / stddev for ri in r] p = prod(RR(erf(x) - (1 - exp(-x**2)) / (x * sqrt(pi))) for x in xs) assert 0.0 <= p <= 1.0 @@ -101,7 +101,7 @@ def mitm_babai_probability(r, stddev, fast=False): def babai(r, norm): """ - Babai probability following [EPRINT:Wun16]_. + Babai probability following [JMC:Wunderer19]_. """ denom = float(2 * norm) ** 2 diff --git a/estimator/reduction.py b/estimator/reduction.py index d49a83b..929cc4e 100644 --- a/estimator/reduction.py +++ b/estimator/reduction.py @@ -480,7 +480,7 @@ class LaaMosPol14(ReductionCost): def __call__(self, beta, d, B=None): """ - Runtime estimation for quantum sieving following [EPRINT:LaaMosPol14]_ and [PhD:Laarhoven15]_. + Runtime estimation for quantum sieving following [DCC:LaaMosPol15]_ and [PhD:Laarhoven15]_. :param beta: Block size ≥ 2. :param d: Lattice dimension.