Paper 2024/1229

Benchmarking Attacks on Learning with Errors

Emily Wenger, Duke University, Meta AI
Eshika Saxena, Meta AI
Mohamed Malhou, Meta AI, Sorbonne Universite
Ellie Thieu, University of Wisconsin-Madison
Kristin Lauter, Meta AI
Abstract

Lattice cryptography schemes based on the learning with errors (LWE) hardness assumption have been standardized by NIST for use as post-quantum cryptosystems, and by HomomorphicEncryption.org for encrypted compute on sensitive data. Thus, understanding their concrete security is critical. Most work on LWE security focuses on theoretical estimates of attack performance, which is important but may overlook attack nuances arising in real-world implementations. The sole existing concrete benchmarking effort, the Darmstadt Lattice Challenge, does not include benchmarks relevant to the standardized LWE parameter choices - such as small secret and small error distributions, and Ring-LWE (RLWE) and Module-LWE (MLWE) variants. To improve our understanding of concrete LWE security, we provide the first benchmarks for LWE secret recovery on standardized parameters, for small and low-weight (sparse) secrets. We evaluate four LWE attacks in these settings to serve as a baseline: the Search-LWE attacks uSVP, SALSA, and Cool & Cruel, and the Decision-LWE attack: Dual Hybrid Meet-in-the-Middle (MitM). We extend the SALSA and Cool & Cruel attacks in significant ways, and implement and scale up MitM attacks for the first time. For example, we recover hamming weight $9-11$ binomial secrets for KYBER ($\kappa=2$) parameters in $28-36$ hours with SALSA and Cool & Cruel, while we find that MitM can solve Decision-LWE instances for hamming weights up to $4$ in under an hour for Kyber parameters, while uSVP attacks do not recover any secrets after running for more than $1100$ hours. We also compare concrete performance against theoretical estimates. Finally, we open source the code to enable future research.

Note: Accepted at Oakland S&P 2025

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Learning with ErrorsCryptanalysisBenchmarkingMachine Learning
Contact author(s)
emily wenger @ duke edu
eshika @ meta com
mmalhou @ meta com
thieu @ wisc edu
klauter @ meta com
History
2024-10-10: last of 2 revisions
2024-08-01: received
See all versions
Short URL
https://ia.cr/2024/1229
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1229,
      author = {Emily Wenger and Eshika Saxena and Mohamed Malhou and Ellie Thieu and Kristin Lauter},
      title = {Benchmarking Attacks on Learning with Errors},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1229},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1229}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.