Cryptanalysis of rank-2 module-LIP: a single real embedding is all it takes

Bill Allombert; Alice Pellet-Mary; Wessel van Woerden

Paper 2025/280

Cryptanalysis of rank-2 module-LIP: a single real embedding is all it takes

Bill Allombert

, Univ. Bordeaux, CNRS, Inria, Bordeaux INP, IMB, Talence, France

Alice Pellet-Mary

, Univ. Bordeaux, CNRS, Inria, Bordeaux INP, IMB, Talence, France

Wessel van Woerden

, Univ. Bordeaux, CNRS, Inria, Bordeaux INP, IMB, Talence, France, PQShield

Abstract

The rank- $2$ module-LIP problem was introduced in cryptography by (Ducas, Postlethwaite, Pulles, van Woerden, Asiacrypt 2022), to construct the highly performant HAWK scheme. A first cryptanalytic work by (Mureau, Pellet--Mary, Pliatsok, Wallet, Eurocrypt 2024) showed a heuristic polynomial time attack against the rank- module-LIP problem over totally real number fields. While mathematically interesting, this attack focuses on number fields that are not relevant for cryptography. The main families of fields used in cryptography are the highly predominant cyclotomic fields (used for instance in the HAWK scheme), as well as the NTRU Prime fields, used for instance in the eponymous NTRU Prime scheme (Bernstein, Chuengsatiansup, Lange, van Vredendaal, SAC 2017). In this work, we generalize the attack of Mureau et al. against rank- module-LIP to the family of all number fields with at least one real embedding, which contains the NTRU Prime fields. We present three variants of our attack, firstly a heuristic one that runs in quantum polynomial time. Secondly, under the extra assumption that the defining polynomial of has a -transitive Galois group (which is the case for the NTRU Prime fields), we give a provable attack that runs in quantum polynomial time. And thirdly, with the same -transitivity assumption we give a heuristic attack that runs in classical polynomial time. For the latter we use a generalization of the Gentry--Szydlo algorithm to any number field which might be of independent interest.

Note: Full version with appendix.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: A major revision of an IACR publication in EUROCRYPT 2025
Keywords: lattice lattice isomorphism problem Gentry-Szydlo algorithm
Contact author(s): bill allombert @ math u-bordeaux fr
alice pellet-mary @ math u-bordeaux fr
wessel vanwoerden @ pqshield com
History: 2025-02-19: approved; 2025-02-18: received; See all versions
Short URL: https://ia.cr/2025/280
License: CC BY

BibTeX

@misc{cryptoeprint:2025/280,
      author = {Bill Allombert and Alice Pellet-Mary and Wessel van Woerden},
      title = {Cryptanalysis of rank-2 module-{LIP}: a single real embedding is all it takes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/280},
      year = {2025},
      url = {https://eprint.iacr.org/2025/280}
}