Cryptology ePrint Archive: Report 2021/1255

How to Find Ternary LWE Keys Using Locality Sensitive Hashing

Elena Kirshanova and Alexander May

Abstract: Let $As = b + e \bmod q$ be an LWE-instance with ternary keys $s,e \in \{0, \pm 1\}^n$. Let $s$ be taken from a search space of size $\mathcal{S}$. A standard Meet-in-the-Middle attack recovers $s$ in time $\mathcal{S}^{0.5}$. Using the representation technique, a recent improvement of May shows that this can be lowered to approximately $\mathcal{S}^{0.25}$ by guessing a sub-linear number of $\Theta(\frac{n}{\log n})$ coordinates from $e$. While guessing such an amount of $e$ can asymptotically be neglected, for concrete instantiations of e.g. NTRU, BLISS or GLP the additional cost of guessing leads to complexities around $\mathcal{S}^{0.3}$.

We introduce a locality sensitive hashing (LSH) technique based on Odlyzko's work that avoids any guessing of $e$'s coordinates. This LSH technique involves a comparably small cost such that we can significantly improve on previous results, pushing complexities towards the asymptotic bound $\mathcal{S}^{0.25}$. Concretely, using LSH we lower the MitM complexity estimates for the currently suggested NTRU and NTRU Prime instantiations by a factor in the range $2^{20}-2^{49}$, and for BLISS and GLP parameters by a factor in the range $2^{18}-2^{41}$.

Category / Keywords: public-key cryptography / Ternary LWE, Combinatorial attack, Representations, LSH

Original Publication (in the same form): IMACC

Date: received 20 Sep 2021, last revised 21 Sep 2021

Contact author: elena kirshanova at rub de, alex may at rub de

Available format(s): PDF | BibTeX Citation

Version: 20210921:195936 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]