Reducing an LWE Instance by Modular Hints and its Applications to Primal Attack, Dual Attack and BKW Attack

Han Wu; Xiaoyun Wang; Guangwu Xu

Paper 2022/1404

Reducing an LWE Instance by Modular Hints and its Applications to Primal Attack, Dual Attack and BKW Attack

Han Wu

, Shandong University

Xiaoyun Wang, Tsinghua University

Guangwu Xu, Shandong University

Abstract

An emerging direction of investigating the resilience of post-quantum cryptosystems under side-channel attacks is to consider the situations where leaked information is combined with traditional attack methods in various forms. In CRYPTO 2020, Dachman-Soled et al. integrated hints from side-channel information to the primal attack against LWE schemes. This idea is further developed in this paper. An accurate characterization of the information from perfect hints and modular hints is obtained through the establishment of an interesting decomposition of $\mathbb{Z}^n$. It is observed that modular hints with modulus $p$ produce some orthogonal projection of the secret in $\mathbb{Z}_p$, which is exactly an extension of the case of perfect hints in $\mathbb{R}$. Based on these, a new attack framework is described when some modular hints with modulus $q$ are available. In this framework, an adversary first reduces the LWE instance using such hints, and then performs various attacks on the new instance. One of the key characters of our framework is that the dimension of the secret in the new instance always decreases under some moderate conditions. A comparison with the previous work shows that our approach is in some sense more essential and applicable to various kinds of attacks. The new way of integrating modular hints to primal attack improves the existing work. The first attempt of using modular hints in dual attack and BKW attack is also discussed in the paper and better analysis results are produced. Experiments have been carried out and shown that multiple modular hints with modulus $q$ can indeed significantly reduce their attack costs. For examples, with just 100 hints, the blocksize can be reduced by 101 and the time complexity can be reduced by a factor of $2^{30}$ in both primal attack and dual attack against a Newhope1024 instance. As for the BKW attack, if 90 hints are available, the number of queries to the LWE oracle can be decreased by a factor of $2^{60}$, as do the time complexity and memory complexity when attacking an instance of Regev cryptosystem $(384,147457,39.19)$.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Contact author(s): hanwu97 @ mail sdu edu cn
xiaoyunwang @ mail tsinghua edu cn
gxu4sdq @ sdu edu cn
History: 2022-10-23: approved; 2022-10-16: received; See all versions
Short URL: https://ia.cr/2022/1404
License: CC BY

BibTeX

@misc{cryptoeprint:2022/1404,
      author = {Han Wu and Xiaoyun Wang and Guangwu Xu},
      title = {Reducing an LWE Instance by Modular Hints and its Applications to Primal Attack, Dual Attack and BKW Attack},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1404},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1404}},
      url = {https://eprint.iacr.org/2022/1404}
}