Dual Lattice Attacks for Closest Vector Problems (with Preprocessing)
Saved in:
| Title: | Dual Lattice Attacks for Closest Vector Problems (with Preprocessing) |
|---|---|
| Authors: | Laarhoven, Thijs, Walter, Michael |
| Contributors: | Paterson, Kenneth G. |
| Source: | Laarhoven, T & Walter, M 2021, Dual Lattice Attacks for Closest Vector Problems (with Preprocessing). in K G Paterson (ed.), Topics in Cryptology-CT-RSA 2021 : Cryptographers’ Track at the RSA Conference 2021, Virtual Event, May 17–20, 2021, Proceedings. Lecture Notes in Computer Science, vol. 12704 LNCS, Springer, pp. 478-502. https://doi.org/10.1007/978-3-030-75539-3_20 |
| Publisher Information: | Springer |
| Publication Year: | 2021 |
| Subject Terms: | Bounded distance decoding (BDD), Closest vector problem (CVP), Lattice algorithms, Lattice-based cryptography, Primal/dual attacks |
| Description: | The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells [Laa16b, DLdW19, Laa20, DLvW20], for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may further wonder if the dual attack suffers the same drawbacks, or if it is perhaps a better solution when trying to solve BDD(P). In this work we provide an overview of cost estimates for dual algorithms for solving these “classical” closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space 2 0.293 d + o ( d ) in the single-target model. The distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance (say) 0.99 · g d from the lattice, has the same complexity in the single-target model, but can be solved in time and space 2 0.195 d + o ( d ) in the multi-target setting, when given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost ... |
| Document Type: | article in journal/newspaper |
| Language: | English |
| ISBN: | 978-3-030-75538-6 3-030-75538-X |
| Relation: | info:eu-repo/semantics/altIdentifier/isbn/9783030755386; urn:ISBN:9783030755386 |
| DOI: | 10.1007/978-3-030-75539-3_20 |
| Availability: | https://research.tue.nl/en/publications/4d9a9fe9-0918-4bfd-9bd1-7e05e3374e87 https://doi.org/10.1007/978-3-030-75539-3_20 https://www.scopus.com/pages/publications/85111049622 |
| Rights: | info:eu-repo/semantics/closedAccess |
| Accession Number: | edsbas.52F3BDB4 |
| Database: | BASE |
Nájsť tento článok vo Web of Science | Abstract: | The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells [Laa16b, DLdW19, Laa20, DLvW20], for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may further wonder if the dual attack suffers the same drawbacks, or if it is perhaps a better solution when trying to solve BDD(P). In this work we provide an overview of cost estimates for dual algorithms for solving these “classical” closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space 2 0.293 d + o ( d ) in the single-target model. The distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance (say) 0.99 · g d from the lattice, has the same complexity in the single-target model, but can be solved in time and space 2 0.195 d + o ( d ) in the multi-target setting, when given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost ... |
|---|---|
| ISBN: | 9783030755386 303075538X |
| DOI: | 10.1007/978-3-030-75539-3_20 |