The cool and the cruel: separating hard parts of LWE secrets

TL;DR

A new statistical attack with low memory requirement that uses statistical techniques to distinguish distributions to identify both the cruel and the cool bits of the secret.

Abstract

Sparse binary LWE secrets are under consideration for standardization for Homomorphic Encryption and its applications to private computation. Known attacks on sparse binary LWE secrets include the sparse dual attack and the hybrid sparse dual-meet in the middle attack which requires significant memory. In this paper, we provide a new statistical attack with low memory requirement. The attack relies on some initial lattice reduction. The key observation is that, after lattice reduction is applied to the rows of a q-ary-like embedded random matrix $\mathbf A$, the entries with high variance are concentrated in the early columns of the extracted matrix. This allows us to separate out the "hard part" of the LWE secret. We can first solve the sub-problem of finding the "cruel" bits of the secret in the early columns, and then find the remaining "cool" bits in linear time. We use statistical techniques to distinguish distributions to identify both the cruel and the cool bits of the secret. We provide concrete attack timings for recovering secrets in dimensions $n=256$, $512$, and $768$. For the lattice reduction stage, we leverage recent improvements in lattice reduction (e.g. flatter) applied in parallel. We also apply our new attack in the RLWE setting for $2$-power cyclotomic rings, showing that these RLWE instances are much more vulnerable to this attack than LWE.

Figures (5)

• Figure 1: The standard deviation of elements within each column of the $\mathbf{A}$ matrix before and after reduction (and extraction from the q-ary embedding) for various $n$/$q$ settings. The first $n_u$ unreduced columnms (left half of the figures) correspond to the "cruel" bits of the secret, while the remaining $n_r = n - n_u$ are the "cool" bits. This phenomenon is distinct from the "z-shape" exhibited by the Gram-Schmidt orthogonalized rows of a q-ary lattice before and after lattice reduction howgrave2007hybridalbrecht2021lattice (see Appendix \ref{['subsec:zshape']} for details).
• Figure 2: Histogram of 4 million samples of the residual $(\mathbf a \cdot \mathbf{s^*} - b) \mod q$ (centered and normalized) for different secret guesses $\mathbf{s^*}$ ($n=512$, $\log_2 q = 41$, $h=20$). The three histograms correspond to three different guesses. Blue corresponds to the true secret, orange to the secret candidate that has only the first $n_u=75$ bits correct and green to a random secret with $h=20$. The numbers in the legend correspond to the sample standard deviation relative to the uniform standard deviation $\frac{q}{\sqrt{12}}$.
• Figure 3: Exhaustive search cost ratio for LWE versus RLWE assuming a fixed $10\%n$ binary secret sparsity. The values of $n_u$ are obtained experimentally.
• Figure 4: Effect of shifting the RLWE circulant matrix on number of $h_u$ secret bits, for $n=256$, $\log_2=12$, $n_u=143$, $h=20$.
• Figure 5: The log-norms of Gram-Schmidt orthogonalized rows of q-ary embedded $\mathbf{A}$ (left) and the stdev of columns of $\mathbf{A}$ after it is extracted from the q-ary embedding. Both results are for $n=256$, $\log_2 q=12$ LWE problems, using the same $\mathbf{A}$ matrix.