Paper 2023/1892
Asymptotics of hybrid primal lattice attacks
Abstract
The literature gives the impression that (1) existing heuristics accurately predict how effective lattice attacks are, (2) non-ternary lattice systems are not vulnerable to hybrid multi-decoding primal attacks, and (3) the asymptotic exponents of attacks against non-ternary systems have stabilized. This paper shows that 1 contradicts 2 and that 1 contradicts 3: the existing heuristics imply that hybrid primal key-recovery attacks are exponentially faster than standard non-hybrid primal key-recovery attacks against the LPR PKE with any constant error width. This is the first report since 2015 of an exponential speedup in heuristic non-quantum primal attacks against non-ternary LPR. Quantitatively, for dimension n, modulus n^{Q_0+o(1)}, and error width w, a surprisingly simple hybrid attack reduces heuristic costs from 2^{(ρ+o(1))n} to 2^{(ρ-ρ H_0+o(1))n}, where z_0=2Q_0/(Q_0+1/2)^2, ρ=z_0 log_4(3/2), and H_0=1/(1+(lg w)/0.057981z_0). This raises the questions of (1) what heuristic exponent is achieved by more sophisticated hybrid attacks and (2) what impact hybrid attacks have upon concrete cryptosystems whose security analyses have ignored hybrid attacks, such as Kyber-512.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- algorithm analysislattice attackscombinatorial attackslattice-basis reductionhybrid attacksCVPPBDDP
- Contact author(s)
- authorcontact-hybrid @ box cr yp to
- History
- 2023-12-11: approved
- 2023-12-08: received
- See all versions
- Short URL
- https://ia.cr/2023/1892
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1892,
author = {Daniel J. Bernstein},
title = {Asymptotics of hybrid primal lattice attacks},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/1892},
year = {2023},
url = {https://eprint.iacr.org/2023/1892}
}
