The cool and the cruel: separating hard parts of LWE secrets

Niklas Nolte; Mohamed Malhou; Emily Wenger; Samuel Stevens; Cathy Yuanchen Li; Francois Charton; Kristin Lauter

Paper 2024/443

The cool and the cruel: separating hard parts of LWE secrets

Niklas Nolte, FAIR, Meta

Mohamed Malhou, FAIR, Meta

Emily Wenger, FAIR, Meta

Samuel Stevens, The Ohio State University

Cathy Yuanchen Li, University of Chicago

Francois Charton, FAIR, Meta

Kristin Lauter, FAIR, Meta

Abstract

Sparse binary LWE secrets are under consideration for standardization for Homomorphic Encryption and its applications to private computation. Known attacks on sparse binary LWE secrets include the sparse dual attack and the hybrid sparse dual-meet in the middle attack, which requires significant memory. In this paper, we provide a new statistical attack with low memory requirement. The attack relies on some initial parallelized lattice reduction. The key observation is that, after lattice reduction is applied to the rows of a q-ary-like embedded random matrix A, the entries with high variance are concentrated in the early columns of the extracted matrix. This allows us to separate out the “hard part” of the LWE secret. We can first solve the sub-problem of finding the “cruel” bits of the secret in the early columns, and then find the remaining “cool” bits in linear time. We use statistical techniques to distinguish distributions to identify both the cruel and the cool bits of the secret. We provide concrete attack timings for recovering secrets in dimensions n = 256, 512, and 768. For the lattice reduction stage, we leverage recent improvements in lattice reduction (flatter) applied in parallel. We also apply our new attack in the RLWE setting for 2-power cyclotomic rings, showing that these RLWE instances are much more vulnerable to this attack than LWE.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: Learning With Errors R-LWE Sparse secrets statistical analysis
Contact author(s): nolte @ meta com
mmalhou @ meta com
ewenger @ meta com
stevens 994 @ buckeyemail osu edu
yuanchen @ uchicago edu
fcharton @ meta com
klauter @ meta com
History: 2024-03-15: approved; 2024-03-14: received; See all versions
Short URL: https://ia.cr/2024/443
License: CC BY

BibTeX

@misc{cryptoeprint:2024/443,
      author = {Niklas Nolte and Mohamed Malhou and Emily Wenger and Samuel Stevens and Cathy Yuanchen Li and Francois Charton and Kristin Lauter},
      title = {The cool and the cruel: separating hard parts of LWE secrets},
      howpublished = {Cryptology ePrint Archive, Paper 2024/443},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/443}},
      url = {https://eprint.iacr.org/2024/443}
}