Paper 2021/557

Dual lattice attacks for closest vector problems (with preprocessing)

Thijs Laarhoven and Michael Walter

Abstract

The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells, for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may wonder if the dual attack suffers the same drawbacks, or if it is a better method for solving BDD(P). In this work we provide an overview of cost estimates for dual algorithms for solving these ''classical'' closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space $2^{0.293d + o(d)}$. For the distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance approximately the Gaussian heuristic from the lattice, we obtain the same complexity in the single-target model, and we obtain query time and space complexities of $2^{0.195d + o(d)}$ in the multi-target setting, where we are given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost estimates for the dual attack in dimensions $50$ to $80$, which confirm our heuristic assumptions, and show that the hidden order terms in the asymptotic estimates are quite small. Our main take-away message is that the dual attack appears to mirror the approximate Voronoi cell line of work -- whereas using approximate Voronoi cells works well for approximate CVP(P) but scales poorly for BDD(P), the dual approach scales well for BDD(P) instances but performs poorly on approximate CVP(P).

Note: Full version of the CT-RSA paper, with all appendices from the original submission included in the main body of the paper.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Major revision. CT-RSA 2021
Keywords
lattice-based cryptographylattice algorithmsprimaldual attacksclosest vector problem (CVP)bounded distance decoding (BDD)
Contact author(s)
mail @ thijs com
michael walter @ ist ac at
History
2021-04-28: received
Short URL
https://ia.cr/2021/557
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/557,
      author = {Thijs Laarhoven and Michael Walter},
      title = {Dual lattice attacks for closest vector problems (with preprocessing)},
      howpublished = {Cryptology ePrint Archive, Paper 2021/557},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/557}},
      url = {https://eprint.iacr.org/2021/557}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.