Better Key Sizes and Attacks for LWEBased Encryption

Better Key Sizes (and Attacks) for LWE-Based Encryption Richard Lindner Chris Peikert

Motivation Learning with Errors (LWE) is ■ ■ Lattice-based Similar to well-known coding problems [Mc. E 78, Nie 86] Secure assuming worst-case hardness [Reg 05, Pei 09] Extremely versatile ■ Encryption secure against CPA [Reg 05, KTX 07, PVW 08] Encryption secure against CCA [PW 08, Pei 09] Oblivious Transfer [PVW 08] (Hierarchical) Identity-based encryption [GPV 08, CHKP 10, ABB 10] Leakage-resilient encryption [AGV 09, ACPS 09, DGK+10, GKPV 10] … Encryption secure against CPA [Reg 05, KTX 07, PVW 08] ■ ■ ■ 18 February 2011 CT-RSA 2011 2

Agenda New Scheme New Attack New Parameters 18 February 2011 CT-RSA 2011 3

Agenda New Scheme New Attack New Parameters 18 February 2011 CT-RSA 2011 4

Learning with Errors [Reg 05, Pei 09] Given random A in Zqn x m pt = st. A + rt (mod q) s secret r small Gaussian (0, σ2) Decision-LWE Distinguish (A, p) from uniform Search-LWE Find r (or s) 18 February 2011 A s + = r p Hardness If σ2 ≥ 4 n then O(nq/σ)-SIVP ≤ Search-LWE Equivalence If q small prime then Search-LWE ≤ Decision-LWE CT-RSA 2011 5

Encryption Scheme Given random A in Zqn x m pt = st. A + rt (mod q) s secret r small Gaussian (0, σ2) A s + = r p Encryption ■ ■ ■ A, p is the public key LWE hides secret key Leftover Hash Lemma hides ciphertext 18 February 2011 c = CT-RSA 2011 A p 0 e + m 6

New Scheme A s + = c = 18 February 2011 + = r p A s 0 e + m CT-RSA 2011 c = A p r p 0 e 1 + e 2 + m 7

New Scheme New Encryption s + = A ■ r p ■ LWE hides secret key and ciphertext Technique similar to [LPS 10, Mic 10] Advantages ■ c = 18 February 2011 A p 0 e 1 + e 2 + m ■ CT-RSA 2011 Save lg(q) factor on public key A, per-user key p Adaptable to rings 8

Agenda New Scheme ■ ■ Save lg(q) factor on public and per-user key Adaptable to rings New Attack New Parameters 18 February 2011 CT-RSA 2011 9

Agenda New Scheme ■ ■ Save lg(q) factor on public and per-user key Adaptable to rings New Attack New Parameters 18 February 2011 CT-RSA 2011 10

LWE Attacks Given random A in Zqn x m pt = s t. A + rt (mod q) s secret r small Gaussian (0, σ2) Lattice ■ ■ Set of all st. A (mod q) forms lattice L p is lattice point perturbed by r 18 February 2011 Attack on Decision ■ ■ Find short z in Ldual (Az = 0) ptz = st. Az + rtz = rtz small iff p is LWE New Attack on Search ■ ■ ■ CT-RSA 2011 Find short basis of L Solve bounded distance decoding on p to recover r TTotal = TReduce + TBDD 11

BDD - Nearest Plane [Bab 86] pt s t. A b 2 b 1 18 February 2011 CT-RSA 2011 12

BDD - Nearest Planes Recurse twice on b 2 pt s t. A b 2 b 1 18 February 2011 CT-RSA 2011 13

Summary Can recurse many times to improve success prob Get many candidate e and check which works Attack tweaks ■ ■ Optimal plane selection for known error distribution Recursions parallelizable Advantages ■ Effective with less reduced basis 18 February 2011 CT-RSA 2011 14

Agenda New Scheme ■ ■ Save lg(q) factor on public and per-user key Adaptable to rings New Attack ■ Effective with less reduced bases New Parameters 18 February 2011 CT-RSA 2011 15

Agenda New Scheme ■ ■ Save lg(q) factor on public and per-user key Adaptable to rings New Attack ■ Effective with less reduced bases New Parameters 18 February 2011 CT-RSA 2011 16

New Parameters Keysize: regular / ring Previous [MR 09] Per-User key: 2736/ 20 KBits New (medium security) Per-User key: 392 / 2 KBits Success Attack [MR 09] New (Planes) Probability log(secs) ¼ 1 2 -32 219 33 68 27 ¼ 1 2 -32 258 96 132 90 Advantages ■ ■ Major improvement for high advantage attack Save 90% on keysize and provide better security 18 February 2011 CT-RSA 2011 17

Contributions New Scheme ■ ■ Save lg(q) factor on public and per-user key Adaptable to rings New Attack ■ ■ Effective with less reduced bases Major improvement for high advantage attack New Parameters ■ Save 90% on keysize and provide better security 18 February 2011 CT-RSA 2011 18

Thank you Further Questions? 18 February 2011 CT-RSA 2011 19