Memory-Efficient Attacks on Small LWE Keys

Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of cryptology Jg. 37; H. 4; S. 36
Hauptverfasser: Esser, Andre, Mukherjee, Arindam, Sarkar, Santanu
Format: Journal Article
Sprache:Englisch
Veröffentlicht: New York Springer US 01.10.2024
Springer Nature B.V
Schlagworte:
Algorithms
Binomial distribution
Coding and Information Theory
Combinatorial analysis
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Networks
Polynomials
Probability Theory and Stochastic Processes
Research Article
Nested collision search
Time-memory trade-off
Representation technique
Polynomial memory
Combinatorial attacks
Learning with errors
ISSN:0933-2790, 1432-1378
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we provide new combinatorial algorithms for recovering small max norm LWE secrets outperforming previous approaches whenever the available memory is limited. We provide analyses of our algorithms for secret key distributions of current NTRU, Kyber and Dilithium variants, showing that our new approach outperforms previous memory-efficient algorithms. For instance, considering uniformly random ternary secrets of length n we improve the best known time complexity for polynomial memory algorithms from 2 1.063 n down-to 2 0.926 n . We obtain even larger gains for LWE secrets in { - m , … , m } n with m = 2 , 3 as found in Kyber and Dilithium. For example, for uniformly random keys in { - 2 , … , 2 } n as is the case for Dilithium we improve the previously best time under polynomial memory restriction from 2 1.742 n down-to 2 1.282 n . Eventually, we provide novel time-memory trade-offs continuously interpolating between our polynomial memory algorithms and the best algorithms in the unlimited memory case (May, in: Malkin, Peikert (eds) CRYPTO 2021, Part II, Springer, Heidelberg 2021. https://doi.org/10.1007/978-3-030-84245-1_24 ).
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0933-2790
1432-1378
DOI:10.1007/s00145-024-09516-3