Memory-Efficient Attacks on Small LWE Keys

IF 2.3 3区 计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS
Andre Esser, Arindam Mukherjee, Santanu Sarkar
{"title":"Memory-Efficient Attacks on Small LWE Keys","authors":"Andre Esser, Arindam Mukherjee, Santanu Sarkar","doi":"10.1007/s00145-024-09516-3","DOIUrl":null,"url":null,"abstract":"<p>Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length <i>n</i> we improve the best known time complexity for <i>polynomial memory</i> algorithms from <span>\\(2^{1.063n}\\)</span> down-to <span>\\(2^{0.926n}\\)</span>. We obtain even larger gains for LWE secrets in <span>\\(\\{-m,\\ldots ,m\\}^n\\)</span> with <span>\\(m=2,3\\)</span> as found in Kyber and Dilithium. For example, for uniformly random keys in <span>\\(\\{-2,\\ldots ,2\\}^n\\)</span> as is the case for Dilithium we improve the previously best time under polynomial memory restriction from <span>\\(2^{1.742n}\\)</span> down-to <span>\\(2^{1.282n}\\)</span>. Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"4 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09516-3","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0

Abstract

Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length n we improve the best known time complexity for polynomial memory algorithms from \(2^{1.063n}\) down-to \(2^{0.926n}\). We obtain even larger gains for LWE secrets in \(\{-m,\ldots ,m\}^n\) with \(m=2,3\) as found in Kyber and Dilithium. For example, for uniformly random keys in \(\{-2,\ldots ,2\}^n\) as is the case for Dilithium we improve the previously best time under polynomial memory restriction from \(2^{1.742n}\) down-to \(2^{1.282n}\). Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24).

Abstract Image

对小型 LWE 密钥的内存高效攻击
对小最大规范 LWE 密钥的组合攻击需要大量内存,这使得它们在实际攻击场景中效率低下。因此,需要更多内存效率更高的算法来替代这些算法。在这项工作中,我们提供了新的组合算法,用于在可用内存有限的情况下恢复小最大规范 LWE 密钥,其性能优于以前的方法。我们对当前 NTRU、Kyber 和 Dilithium 变体的密钥分布进行了分析,结果表明我们的新方法优于以前的内存效率算法。例如,考虑到长度为n的均匀随机三元秘密,我们将多项式内存算法的已知最佳时间复杂度从\(2^{1.063n}\)降低到\(2^{0.926n}\)。我们在Kyber和Dilithium中发现,在(m=2,3)的情况下,LWE秘密的收益甚至更大。例如,对于 Dilithium 中的 \(\{-2,\ldots ,2\}^n\) 中的均匀随机密钥,我们将之前多项式内存限制下的最佳时间从 \(2^{1.742n}\) 降到了 \(2^{1.282n}\) 。最终,我们在多项式内存算法和无限内存情况下的最佳算法之间不断插值,提供了新颖的时间-内存权衡(May, in:Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24)。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Cryptology
Journal of Cryptology 工程技术-工程:电子与电气
CiteScore
7.10
自引率
3.30%
发文量
24
审稿时长
18 months
期刊介绍: The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信