Benchmarking Attacks on Learning with Errors

TL;DR

This work addresses the need for concrete security evaluation of standardized LWE parameters used in systems like KYBER and HE by introducing the first practical LWE attack benchmarks. It benchmarks four attacks—uSVP, SALSA, Cool & Cruel, and Dual Hybrid MitM—on KYBER-like MLWE and HE-like RLWE/MLWE settings, extending attacks with cliff shifting, rotation tricks, slope distinguishers, and preprocessing innovations. The key findings show SALSA and Cool & Cruel recovering binomial secrets with $h=9$–$11$ in $28$–$36$ hours for Kyber, while Dual Hybrid MitM solves Decision-LWE for $h le 4$ in under an hour; uSVP largely fails within $1100$ hours. The work also exposes gaps between theoretical estimates and practical performance, provides open-source tooling, and lays a foundation for broader benchmarking and attack optimization in LWE security research.

Abstract

Lattice cryptography schemes based on the learning with errors (LWE) hardness assumption have been standardized by NIST for use as post-quantum cryptosystems, and by HomomorphicEncryption.org for encrypted compute on sensitive data. Thus, understanding their concrete security is critical. Most work on LWE security focuses on theoretical estimates of attack performance, which is important but may overlook attack nuances arising in real-world implementations. The sole existing concrete benchmarking effort, the Darmstadt Lattice Challenge, does not include benchmarks relevant to the standardized LWE parameter choices - such as small secret and small error distributions, and Ring-LWE (RLWE) and Module-LWE (MLWE) variants. To improve our understanding of concrete LWE security, we provide the first benchmarks for LWE secret recovery on standardized parameters, for small and low-weight (sparse) secrets. We evaluate four LWE attacks in these settings to serve as a baseline: the Search-LWE attacks uSVP, SALSA, and Cool & Cruel, and the Decision-LWE attack: Dual Hybrid Meet-in-the-Middle (MitM). We extend the SALSA and Cool & Cruel attacks in significant ways, and implement and scale up MitM attacks for the first time. For example, we recover hamming weight $9-11$ binomial secrets for KYBER ($κ=2$) parameters in $28-36$ hours with SALSA and Cool\&Cruel, while we find that MitM can solve Decision-LWE instances for hamming weights up to $4$ in under an hour for Kyber parameters, while uSVP attacks do not recover any secrets after running for more than $1100$ hours. We also compare concrete performance against theoretical estimates. Finally, we open source the code to enable future research.

Figures (4)

• Figure 1: Slope distinguisher for recovering general secrets. This distinguisher computes $b=f({\bf a} + x {\bf e_i})$ for varying $x \in [0,q]$ and recovers secret bit values from the slope of this line. This plot is for $s_4 = -4$. The blue line "pred b" plots model outputs $b=f({\bf a} + x {\bf e_i})$ for $x \in [0,q]$ for some fixed in-distribution $a$. The green line "true b" shows $f_{\text{true}}({\bf a} + x {\bf e_i}) = {\bf a}\cdot {\bf s}+xs_i$. Model $f$ is trained on BKZ-reduced LWE data with Gaussian secrets, $n=256, \log q =20$.
• Figure 2: Larger BKZ2.0 block size produces data with a smaller cliff. As block size increases (color tends toward yellow), BKZ2.0 yields rows of $U\Lambda$ with more entries tending towards the reduced value. Figure shows parameters $n=m=256$, $q=3329$, $\omega=1$, and varying block size $\beta$.
• Figure 3: Visualization of empirical and ideal Irwin-Hall distribution for $n=256$, $k=1$, $\log_2q=12$ setting.
• Figure 4: The flatter algorithm performs significantly better on LWE matrices generated with the C random LCG than with the numpy random Mersenne twister. Y-axis shows reduction in standard deviation of ${\bf A}$ elements vs. uniform random standard deviation (lower values indicate stronger reduction).