Cryptology ePrint Archive: Report 2018/822

LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS

Jonathan Bootle and Claire Delaplace and Thomas Espitau and Pierre-Alain Fouque and Mehdi Tibouchi

Abstract: This paper is devoted to analyzing the variant of Regev's learning with errors (LWE) problem in which modular reduction is omitted: namely, the problem (ILWE) of recovering a vector $\vec s\in\mathbb{Z}^n$ given polynomially many samples of the form $(\vec a,\langle\vec a,\vec s\rangle + e)\in\mathbb{Z}^{n+1}$ where $\vec a$ and $e$ follow fixed distributions. Unsurprisingly, this problem is much easier than LWE: under mild conditions on the distributions, we show that the problem can be solved efficiently as long as the variance of $e$ is not superpolynomially larger than that of $\vec a$. We also provide almost tight bounds on the number of samples needed to recover $\vec s$.

Our interest in studying this problem stems from the side-channel attack against the BLISS lattice-based signature scheme described by Espitau et al. at CCS 2017. The attack targets a quadratic function of the secret that leaks in the rejection sampling step of BLISS. The same part of the algorithm also suffers from a linear leakage, but the authors claimed that this leakage could not be exploited due to signature compression: the linear system arising from it turns out to be noisy, and hence key recovery amounts to solving a high-dimensional problem analogous to LWE, which seemed infeasible. However, this noisy linear algebra problem does not involve any modular reduction: it is essentially an instance of ILWE, and can therefore be solved efficiently using our techniques. This allows us to obtain an improved side-channel attack on BLISS, which applies to 100% of secret keys (as opposed to ~7% in the CCS paper), and is also considerably faster.

Category / Keywords: public-key cryptography / LWE problem, lattice-based cryptography, side-channel analysis, BLISS, least squares regression, statistical learning, compressed sensing, concentration inequalities

Original Publication (with major differences): IACR-ASIACRYPT-2018

Date: received 3 Sep 2018

Contact author: mehdi tibouchi at normalesup org

Available format(s): PDF | BibTeX Citation

Version: 20180906:194445 (All versions of this report)

Short URL: ia.cr/2018/822


[ Cryptology ePrint archive ]