{"title":"Revisiting the Hybrid Attack on Sparse Secret LWE and Application to HE Parameters","authors":"Yongha Son, J. Cheon","doi":"10.1145/3338469.3358941","DOIUrl":null,"url":null,"abstract":"In the practical use of the Learning With Error (LWE) based cryptosystems, it is quite common to choose the secret to be extremely small: one popular choice is ternary ((±1,0),coefficient vector, and some further use ternary vector having only small numbers of nonzero coefficient, what is called \\em sparse and ternary vector. This use of small secret also benefits to attack algorithms against LWE, and currently LWE-based cryptosystems including homomorphic encryptions (HE) set parameters based on the attack complexity of those improved attacks. In this work, we revisit the well-known Howgrave-Graham's hybrid attack, which was originally designed to solve the NTRU problem, with respect to sparse and ternary secret LWE case, and also refine the previous analysis for the hybrid attack in line with LWE setting. Moreover, upon our analysis we estimate attack complexity of the hybrid attack for several LWE parameters. As a result, we argue the currently used HE parameters should be raised to maintain the same security level by considering the hybrid attack; for example, the parameter set (n,log q,σ) = (65536, 1240, 3.2) with Hamming weight of secret key h = 64, which was estimated to satisfy ≥ 128$ bit-security by the previously considered attacks, is newly estimated to provide only 113 bit-security by the hybrid attack.","PeriodicalId":332171,"journal":{"name":"Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3338469.3358941","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 16
Abstract
In the practical use of the Learning With Error (LWE) based cryptosystems, it is quite common to choose the secret to be extremely small: one popular choice is ternary ((±1,0),coefficient vector, and some further use ternary vector having only small numbers of nonzero coefficient, what is called \em sparse and ternary vector. This use of small secret also benefits to attack algorithms against LWE, and currently LWE-based cryptosystems including homomorphic encryptions (HE) set parameters based on the attack complexity of those improved attacks. In this work, we revisit the well-known Howgrave-Graham's hybrid attack, which was originally designed to solve the NTRU problem, with respect to sparse and ternary secret LWE case, and also refine the previous analysis for the hybrid attack in line with LWE setting. Moreover, upon our analysis we estimate attack complexity of the hybrid attack for several LWE parameters. As a result, we argue the currently used HE parameters should be raised to maintain the same security level by considering the hybrid attack; for example, the parameter set (n,log q,σ) = (65536, 1240, 3.2) with Hamming weight of secret key h = 64, which was estimated to satisfy ≥ 128$ bit-security by the previously considered attacks, is newly estimated to provide only 113 bit-security by the hybrid attack.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
