better key sizes (and attacks) for lwe-based encryption richard lindnerchris peikert
TRANSCRIPT
Better Key Sizes (and Attacks)for LWE-Based Encryption
Richard Lindner Chris Peikert
Motivation
Learning with Errors (LWE) is■ Lattice-based■ Similar to well-known coding problems [McE78, Nie86]■ Secure assuming worst-case hardness [Reg05, Pei09]■ Extremely versatile
■ Encryption secure against CPA [Reg05, KTX07, PVW08] ■ Encryption secure against CCA [PW08, Pei09]■ Oblivious Transfer [PVW08]■ (Hierarchical) Identity-based encryption [GPV08, CHKP10, ABB10]■ Leakage-resilient encryption [AGV09, ACPS09, DGK+10, GKPV10]■ …
18 February 2011 2CT-RSA 2011
Encryption secure against CPA [Reg05, KTX07, PVW08]
Agenda
New Scheme
New Attack
New Parameters
18 February 2011 3CT-RSA 2011
Agenda
New Scheme
New Attack
New Parameters
18 February 2011 4CT-RSA 2011
Learning with Errors [Reg05, Pei09]
Given random A in Zqn x m
pt = stA + rt (mod q)s secret r small Gaussian (0,σ2)
18 February 2011 5CT-RSA 2011
HardnessIf σ2 ≥ 4n then O(nq/σ)-SIVP ≤ Search-LWE
EquivalenceIf q small prime thenSearch-LWE ≤ Decision-LWE
Decision-LWEDistinguish (A, p) from uniform
Search-LWEFind r (or s)
= p
r
As
+
Encryption Scheme
Given random A in Zqn x m
pt = stA + rt (mod q)s secret r small Gaussian (0,σ2)
18 February 2011 6CT-RSA 2011
Encryption■ A, p is the public key■ LWE hides secret key■ Leftover Hash Lemma
hides ciphertext
= p
r
As
+
0m= ec +
Ap
New Scheme
18 February 2011 7CT-RSA 2011
= e2 +Ap e1 +c
0m
p=rA
+s
0m= ec +
Ap
= p
r
As
+
New Scheme
New Encryption■ LWE hides secret key and
ciphertext■ Technique similar to
[LPS10, Mic10]
Advantages■ Save lg(q) factor on public key
A, per-user key p■ Adaptable to rings
18 February 2011 8CT-RSA 2011
= e2 +Ap e1 +c
0m
p=rA
+s
Agenda
New Scheme■ Save lg(q) factor on public and per-user key■ Adaptable to rings
New Attack
New Parameters
18 February 2011 9CT-RSA 2011
Agenda
New Scheme■ Save lg(q) factor on public and per-user key■ Adaptable to rings
New Attack
New Parameters
18 February 2011 10CT-RSA 2011
LWE Attacks
Attack on Decision■ Find short z in Ldual (Az = 0)■ ptz = stAz + rtz = rtz
small iff p is LWE
Given random A in Zqn x m
pt = stA + rt (mod q)
s secret r small Gaussian (0, σ2)
18 February 2011 11CT-RSA 2011
New Attack on Search■ Find short basis of L■ Solve bounded distance
decoding on p to recover r■ TTotal = TReduce + TBDD
Lattice■ Set of all stA (mod q) forms
lattice L■ p is lattice point
perturbed by r
BDD - Nearest Plane [Bab86]
18 February 2011 12CT-RSA 2011
b1
b2
stA
pt
BDD - Nearest Planes
18 February 2011 13CT-RSA 2011
b1
b2
Recurse twiceon b2
stA
pt
Summary
Can recurse many times to improve success probGet many candidate e and check which works
Attack tweaks■ Optimal plane selection for known error distribution■ Recursions parallelizable
Advantages■ Effective with less reduced basis
18 February 2011 14CT-RSA 2011
Agenda
New Scheme■ Save lg(q) factor on public and per-user key■ Adaptable to rings
New Attack■ Effective with less reduced bases
New Parameters
18 February 2011 15CT-RSA 2011
Agenda
New Scheme■ Save lg(q) factor on public and per-user key■ Adaptable to rings
New Attack■ Effective with less reduced bases
New Parameters
18 February 2011 16CT-RSA 2011
New Parameters
18 February 2011 17CT-RSA 2011
Parameters Success Attack [MR09]
New (Planes)
Keysize: regular / ring Probability log(secs) log(secs)
Previous [MR09]
Per-User key: 2736/ 20 KBits
¼12-32
21933
6827
New (medium security)
Per-User key: 392 / 2 KBits
¼12-32
25896
13290
Advantages■ Major improvement for high advantage attack■ Save 90% on keysize and provide better security
Contributions
New Scheme■ Save lg(q) factor on public and per-user key■ Adaptable to rings
New Attack■ Effective with less reduced bases■ Major improvement for high advantage attack
New Parameters■ Save 90% on keysize and provide better security
18 February 2011 18CT-RSA 2011
Thank you
Further Questions?
18 February 2011 19CT-RSA 2011