Paper 2022/1343

Refined Strategy for Solving LWE in Two-step Mode

Wenwen Xia, Shanghai Jiao Tong University
Leizhang Wang, Xidian University
GengWang, Shanghai Jiao Tong University
Dawu Gu, Xidian University, Shanghai Jiao Tong University
Baocang Wang, Xidian University
Abstract

Learning with Errors (LWE) and its variants are widely used in constructing lattice-based cryptographic schemes, including NIST standards Kyber and Dilithium, and a refined estimation of LWE’s hardness is crucial for their security. Currently, primal attack is considered the fastest algorithm for solving LWE problem in practice. It reduces LWE to a unique Shortest Vector Problem (uSVP) and combines lattice reduction algorithms with SVP calls such as enumeration or sieving. However, finding the most time-efficient combination strategy for these algorithms remains a challenge. The designers of Kyber highlighted this issue as open problem Q7: “A refined (progressive) lattice reduction strategy and a precise analysis of the gains using reduction preprocessing plus a single SVP call in large dimensions are still missing.” In this paper, we address this problem by presenting a Strategy Search algorithm named PSSearch for solving uSVP and LWE, using progressive BKZ as the lattice reduction and sieving as the SVP call. Compared to the heuristic strategy used in G6K (Albrechet et al., Eurocrypt 2019), the strategy generated by our algorithm has the following advantages: (1) We design a tree search algorithm with pruning named PSSearch to find the minimal time-cost strategy in two-step mode and prove its correctness, showing that the fastest approach in two-step mode for solving uSVP and LWE can be achieved in a reasonable timeframe; (2) We propose the first tight simulation for BKZ that can jump by J > 1 blocks, which allows us to choose more flexible jump values to improve reduction efficiency. (3) We propose a refined dimension estimation method for the SVP call. We tested the accuracy of our new simulation algorithm and the efficiency of our new strategy through experiments. Furthermore, we apply the strategies generated by SSearch to solve the TU Darmstadt LWE Challenges with (n, α) ∈{(80, 0.005), (40, 0.035), (90, 0.005), (50, 0.025), (55, 0.020), (40, 0.040)} using the G6K framework, achieving improve- ments of 7.2 to 23.4 times over the heuristic strategy employed in G6K. By combining the minimal time-cost strategy selection with the refined two-step estimator for LWE (Xia et al., PKC 2024), we re-estimate the hardness of NIST standards Kyber and Dilithium, and determine the influence of the strategy. Specifically, the security levels of NIST standards decrease by 3.4 to 4.6 bits, rather than 2 to 8 bits indicated in the Kyber documentation. It achieves a decrease of 1.1 to 1.3 bits compared to the refined two-step estimation using trivial strategy.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
cryptanalysislattice reductionuSVP· progressive BKZPnjBKZ Simulatoroptimized blocksize and jump strategy.
Contact author(s)
xww_summer @ sjtu edu cn
lzwang_2 @ stu xidian edu cn
wanggxx @ sjtu edu cn
dwgu @ sjtu edu cn
bcwang @ xidian edu cn
History
2024-11-14: last of 7 revisions
2022-10-08: received
See all versions
Short URL
https://ia.cr/2022/1343
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1343,
      author = {Wenwen Xia and Leizhang Wang and GengWang and Dawu Gu and Baocang Wang},
      title = {Refined Strategy for Solving {LWE} in Two-step Mode},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1343},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1343}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.