Memory-Efficient Attacks on Small LWE Keys

IF 2.3 3区计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS Journal of Cryptology Pub Date : 2024-08-20 DOI:10.1007/s00145-024-09516-3

Andre Esser, Arindam Mukherjee, Santanu Sarkar

{"title":"Memory-Efficient Attacks on Small LWE Keys","authors":"Andre Esser, Arindam Mukherjee, Santanu Sarkar","doi":"10.1007/s00145-024-09516-3","DOIUrl":null,"url":null,"abstract":"Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length n we improve the best known time complexity for polynomial memory algorithms from \\(2^{1.063n}\\) down-to \\(2^{0.926n}\\). We obtain even larger gains for LWE secrets in \\(\\{-m,\\ldots ,m\\}^n\\) with \\(m=2,3\\) as found in Kyber and Dilithium. For example, for uniformly random keys in \\(\\{-2,\\ldots ,2\\}^n\\) as is the case for Dilithium we improve the previously best time under polynomial memory restriction from \\(2^{1.742n}\\) down-to \\(2^{1.282n}\\). Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":null,"pages":null},"PeriodicalIF":2.3000,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09516-3","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length n we improve the best known time complexity for polynomial memory algorithms from \(2^{1.063n}\) down-to \(2^{0.926n}\). We obtain even larger gains for LWE secrets in \(\{-m,\ldots ,m\}^n\) with \(m=2,3\) as found in Kyber and Dilithium. For example, for uniformly random keys in \(\{-2,\ldots ,2\}^n\) as is the case for Dilithium we improve the previously best time under polynomial memory restriction from \(2^{1.742n}\) down-to \(2^{1.282n}\). Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).

Abstract Image

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

对小型 LWE 密钥的内存高效攻击

对小最大规范 LWE 密钥的组合攻击需要大量内存，这使得它们在实际攻击场景中效率低下。因此，需要更多内存效率更高的算法来替代这些算法。在这项工作中，我们提供了新的组合算法，用于在可用内存有限的情况下恢复小最大规范 LWE 密钥，其性能优于以前的方法。我们对当前 NTRU、Kyber 和 Dilithium 变体的密钥分布进行了分析，结果表明我们的新方法优于以前的内存效率算法。例如，考虑到长度为n的均匀随机三元秘密，我们将多项式内存算法的已知最佳时间复杂度从\(2^{1.063n}\)降低到\(2^{0.926n}\)。我们在Kyber和Dilithium中发现，在（m=2,3）的情况下，LWE秘密的收益甚至更大。例如，对于 Dilithium 中的 \(\{-2,\ldots ,2\}^n\) 中的均匀随机密钥，我们将之前多项式内存限制下的最佳时间从 \(2^{1.742n}\) 降到了 \(2^{1.282n}\) 。最终，我们在多项式内存算法和无限内存情况下的最佳算法之间不断插值，提供了新颖的时间-内存权衡（May, in：Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Cryptology 工程技术-工程：电子与电气

CiteScore

7.10

自引率

3.30%

发文量

审稿时长

18 months

期刊介绍： The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.

期刊最新文献

Randomness Recoverable Secret Sharing Schemes Memory-Efficient Attacks on Small LWE Keys Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of a Prevailing Assumption The Price of Active Security in Cryptographic Protocols