Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lattice-Based Vulnerabilities in Lee Metric Post-Quantum Cryptosystems

Anna-Lena Horlemann, Karan Khathuria, Marc Newman, Amin Sakzad, Carlos Vela Cabello

TL;DR

This paper considers a generic Lee metric based McEliece type cryptosystem and evaluates its security against lattice-based attacks, including potential vulnerabilities to lattice-based attack techniques.

Abstract

Post-quantum cryptography has gained attention due to the need for secure cryptographic systems in the face of quantum computing. Code-based and lattice-based cryptography are two prominent approaches, both heavily studied within the NIST standardization project. Code-based cryptography -- most prominently exemplified by the McEliece cryptosystem -- is based on the hardness of decoding random linear error-correcting codes. Despite the McEliece cryptosystem having been unbroken for several decades, it suffers from large key sizes, which has led to exploring variants using metrics than the Hamming metric, such as the Lee metric. This alternative metric may allow for smaller key sizes, but requires further analysis for potential vulnerabilities to lattice-based attack techniques. In this paper, we consider a generic Lee metric based McEliece type cryptosystem and evaluate its security against lattice-based attacks.

Lattice-Based Vulnerabilities in Lee Metric Post-Quantum Cryptosystems

TL;DR

This paper considers a generic Lee metric based McEliece type cryptosystem and evaluates its security against lattice-based attacks, including potential vulnerabilities to lattice-based attack techniques.

Abstract

Post-quantum cryptography has gained attention due to the need for secure cryptographic systems in the face of quantum computing. Code-based and lattice-based cryptography are two prominent approaches, both heavily studied within the NIST standardization project. Code-based cryptography -- most prominently exemplified by the McEliece cryptosystem -- is based on the hardness of decoding random linear error-correcting codes. Despite the McEliece cryptosystem having been unbroken for several decades, it suffers from large key sizes, which has led to exploring variants using metrics than the Hamming metric, such as the Lee metric. This alternative metric may allow for smaller key sizes, but requires further analysis for potential vulnerabilities to lattice-based attack techniques. In this paper, we consider a generic Lee metric based McEliece type cryptosystem and evaluate its security against lattice-based attacks.
Paper Structure (13 sections, 22 theorems, 62 equations, 3 figures, 1 table, 1 algorithm)

This paper contains 13 sections, 22 theorems, 62 equations, 3 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Lee metric codes and the Lee-McEliece system
  4. Lattice theory
  5. Distributions
  6. Complexity Reductions of Lee Metric Decoding Problems
  7. Containment of Finite Codes in Construction A Lattices
  8. Comparison of Error Distributions
  9. Lee vs. Hamming distribution
  10. Laplace vs. Gaussian distribution
  11. Lower bound on KL divergence between discrete Laplace and discrete Gaussian:
  12. Conclusions
  13. Proof of Minkowski's convex body theorem (Theorem \ref{['thm:minkowski']})

Key Result

Lemma 2.3

Figures (3)

  • Figure 1: Scheme of the reductions for full rank integer lattices in the $\ell_1$-norm.
  • Figure 2: Lattices $\mathcal{L}_{\mathsf{A}}$ and $\mathcal{L}_{\mathsf{A}_{\mathbf{G}}}$ for $\mathcal{C}_1$ and $\mathcal{C}_2$ in Example \ref{['Example:LattCont_1']}.
  • Figure 3: Numerical estimates of the minimal KL divergence between Laplace and Gaussian distribution. In the left figure, we plot the minimum $KL(\mathop{\mathrm{Lap}}\nolimits_{\mathbb{Z},b}|\mathop{\mathrm{D}}\nolimits_{\mathbb{Z},\sigma})$ (solid blue line) as a function of $b$ and compare it with the constant $\frac{\log(\pi)-1}{2}$ (dashed red line) corresponding to the continuous case (Corollary \ref{['cor:KL']}). In the right figure, we plot the corresponding $\sigma_{\min}$ where the minimum divergence is achieved. Here again we compare $\sigma_{\min}$ with the minimum sigma $\sigma = b \sqrt{2}$ obtained in the continuous case (Corollary \ref{['cor:KL']}).

Theorems & Definitions (57)

  • Definition 2.1
  • Definition 2.2
  • Lemma 2.3
  • Remark 2.4
  • Definition 2.5
  • Definition 2.6
  • Remark 2.9
  • Definition 2.10
  • Definition 2.11
  • Theorem 2.14
  • ...and 47 more