Paper 2023/1547

Further Improvements of the Estimation of Key Enumeration with Applications to Solving LWE

Abstract

In post-quantum cryptography, Learning With Errors (LWE) is one of the dominant underlying mathematical problems. The dual attack is one of the main strategies for solving the LWE problem, and it has recently gathered significant attention within the research community. The attack strategy consists of a lattice reduction part and a distinguishing part. The latter includes an enumeration subroutine over a certain number of positions of the secret key. Our contribution consists of giving a precise and efficient approach for calculating the expected complexity of such an enumeration procedure, which was missing in the literature. This allows us to decrease the estimated cost of the whole dual attack, both classically and quantumly, on well-known protocols such as Kyber, Saber, and TFHE. In addition, we explore different enumeration strategies to investigate some potential further improvements. As our method of calculating the expected cost of enumeration is pretty general, it might be of independent interest in other areas of cryptanalysis or even in different research areas.

Note: This is the version of the paper sent to "Cryptography and Communications", where it will soon be published. It is an extention of the paper "Improved Estimation of Key Enumeration with Applications to Solving LWE", which was presented as ISIT 2023 and is available on ePrint as 2023/139.