Abstract
The dual attack is one of the most efficient attack algorithms for learning with errors (LWE) problem. Recently, an efficient variant of the dual attack for sparse and small secret LWE was reported by Albrecht (Eurocrypt 2017), which forces some LWE-based cryptosystems, especially fully homomorphic encryptions (FHE), to change parameters. In this paper, we propose a new hybrid of dual and meet-in-themiddle (MITM) attack, which outperforms the improved variant on the same LWE parameter regime. To this end, we adapt the MITM attack for NTRU due to Odlyzko to LWE and give a rigorous analysis for it. The performance of our MITM attack depends on the relative size of error and modulus, and hence, for a large modulus LWE samples, our MITM attack works well for quite large error. We then combine our MITM attack with Albrecht's observation that understands the dual attack as a dimension-error tradeoff, which finally yields our hybrid attack. We also implement a sage module that estimates the attack complexity of our algorithm upon LWE-estimator, and our attack shows significant performance improvement for the LWE parameter for FHE. For example, for the LWE problem with dimension n = 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">15</sup> , modulus q = 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">628</sup> , and ternary secret key with Hamming weight 64 which is one parameter set used for HEAAN bootstrapping (Eurocrypt 2018), our attack takes 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">112.5</sup> operations and 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">70.6</sup> bit memory, while the previous best attack requires 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">127.2</sup> operations as reported by the LWE-estimator.
Highlights
The Learning with Errors (LWE) problem has brought many fruitful applications in the cryptographic world [1]–[7]
The LWE problem is as intractable as known hard problems of lattices, even in the average cases in the certain parameter regime
The LWE problem plays the important role in the cryptography, especially for homomorphic encryptions (HE) [9]–[15]
Summary
Department of Mathematical Sciences, Seoul National University, Seoul 151-742, South Korea This work was supported in part by the Samsung Research Funding Center of Samsung Electronics under Project SRFC-TB1403-52, and in part by the Institute for Information and Communication Technology Promotion (IITP) grant funded by the Korea Government (No 2016-6-00598, The mathematical structure of functional encryption and its analysis).
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
