**LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS**

*Jonathan Bootle and Claire Delaplace and Thomas Espitau and Pierre-Alain Fouque and Mehdi Tibouchi*

**Abstract: **This paper is devoted to analyzing the variant of Regev's learning with
errors (LWE) problem in which modular reduction is omitted: namely, the
problem (ILWE) of recovering a vector $\vec s\in\mathbb{Z}^n$ given polynomially many
samples of the form $(\vec a,\langle\vec a,\vec s\rangle + e)\in\mathbb{Z}^{n+1}$
where $\vec a$ and $e$ follow fixed distributions. Unsurprisingly, this
problem is much easier than LWE: under mild conditions on the
distributions, we show that the problem can be solved efficiently as long
as the variance of $e$ is not superpolynomially larger than that of $\vec
a$. We also provide almost tight bounds on the number of samples needed
to recover $\vec s$.

Our interest in studying this problem stems from the side-channel attack against the BLISS lattice-based signature scheme described by Espitau et al. at CCS 2017. The attack targets a quadratic function of the secret that leaks in the rejection sampling step of BLISS. The same part of the algorithm also suffers from a linear leakage, but the authors claimed that this leakage could not be exploited due to signature compression: the linear system arising from it turns out to be noisy, and hence key recovery amounts to solving a high-dimensional problem analogous to LWE, which seemed infeasible. However, this noisy linear algebra problem does not involve any modular reduction: it is essentially an instance of ILWE, and can therefore be solved efficiently using our techniques. This allows us to obtain an improved side-channel attack on BLISS, which applies to 100% of secret keys (as opposed to ~7% in the CCS paper), and is also considerably faster.

**Category / Keywords: **public-key cryptography / LWE problem, lattice-based cryptography, side-channel analysis, BLISS, least squares regression, statistical learning, compressed sensing, concentration inequalities

**Original Publication**** (with major differences): **IACR-ASIACRYPT-2018

**Date: **received 3 Sep 2018

**Contact author: **mehdi tibouchi at normalesup org

**Available format(s): **PDF | BibTeX Citation

**Version: **20180906:194445 (All versions of this report)

**Short URL: **ia.cr/2018/822

[ Cryptology ePrint archive ]