Cryptology ePrint Archive: Report 2020/1308

On the Success Probability of Solving Unique SVP via BKZ

Eamonn W. Postlethwaite and Fernando Virdia

Abstract: As lattice-based key encapsulation, digital signature, and fully homomorphic encryption schemes near standardisation, ever more focus is being directed to the precise estimation of the security of these schemes. The primal attack reduces key recovery against such schemes to instances of the unique Shortest Vector Problem (uSVP). Dachman-Soled et al. (Crypto 2020) recently proposed a new approach for fine-grained estimation of the cost of the primal attack when using Progressive BKZ for lattice reduction. In this paper we review and extend their technique to BKZ 2.0 and provide extensive experimental evidence of its accuracy. Using this technique we also explain results from previous primal attack experiments by Albrecht et al. (Asiacrypt 2017) where attacks succeeded with smaller than expected block sizes. Finally, we use our simulators to reestimate the cost of attacking the three lattice KEM finalists of the NIST Post Quantum Standardisation Process.

Category / Keywords: public-key cryptography / cryptanalysis, lattice-based cryptography, lattice reduction

Original Publication (with minor differences): IACR-PKC-2021

Date: received 19 Oct 2020, last revised 1 May 2021

Contact author: eamonn postlethwaite 2016 at rhul ac uk, fernando virdia 2016@rhul ac uk

Available format(s): PDF | BibTeX Citation

Note: Minor differences in body, includes appendices that are missing in the published version.

Version: 20210501:204024 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]