Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security Analysis of Integer Learning with Errors with Rejection Sampling

Kyle Yates, Antsa Pierrottet, Abdullah Al Mamun, Ryann Cartor, Mashrur Chowdhury, Shuhong Gao

TL;DR

This work analyzes the security of integer learning with errors (ILWE) when rejection sampling is used in lattice-based digital signatures, evaluating the direct ILWE instances derived from signature data without side-channel leakage. It extends and simulates Bootle et al.'s least-squares attack using real-valued matrix representations of polynomials and develops large-sample strategies to test parameter security, with experiments on CRYSTALS-Dilithium-like rejection sampling. The results show that, for subgaussian distributions, the LS attack can recover the secret under certain parameter regimes, while uniform distributions and practical parameter choices remain resistant. The study underscores the importance of sampling distribution and parameter selection in ILWE-based signatures and discusses implications for real-world deployment in critical domains such as Intelligent Transportation Systems and post-quantum security.

Abstract

At ASIACRYPT 2018, a digital attack based on linear least squares was introduced for a variant of the learning with errors (LWE) problem which omits modular reduction known as the integer learning with errors problem (ILWE). In this paper, we present a theoretical and experimental study of the effectiveness of the attack when applied directly to small parameter ILWE instances found in popular digital signature schemes such as CRYSTALS-Dilithium which utilize rejection sampling. Unlike other studies which form ILWE instances based on additional information obtained from side-channel attacks, we take a more direct approach to the problem by constructing our ILWE instance from only the obtained signatures. We outline and introduce novel techniques in our simulation designs such as modular polynomial arithmetic via matrices in $\mathbb{R}$, as well as algorithms for handling large sample sizes efficiently. Our experimental results reinforce the proclaimed security of signature schemes based on ILWE. We additionally discuss the implications of our work and digital signatures as a whole in regards to real-world applications such as in Intelligent Transportation Systems (ITS).

Security Analysis of Integer Learning with Errors with Rejection Sampling

TL;DR

This work analyzes the security of integer learning with errors (ILWE) when rejection sampling is used in lattice-based digital signatures, evaluating the direct ILWE instances derived from signature data without side-channel leakage. It extends and simulates Bootle et al.'s least-squares attack using real-valued matrix representations of polynomials and develops large-sample strategies to test parameter security, with experiments on CRYSTALS-Dilithium-like rejection sampling. The results show that, for subgaussian distributions, the LS attack can recover the secret under certain parameter regimes, while uniform distributions and practical parameter choices remain resistant. The study underscores the importance of sampling distribution and parameter selection in ILWE-based signatures and discusses implications for real-world deployment in critical domains such as Intelligent Transportation Systems and post-quantum security.

Abstract

At ASIACRYPT 2018, a digital attack based on linear least squares was introduced for a variant of the learning with errors (LWE) problem which omits modular reduction known as the integer learning with errors problem (ILWE). In this paper, we present a theoretical and experimental study of the effectiveness of the attack when applied directly to small parameter ILWE instances found in popular digital signature schemes such as CRYSTALS-Dilithium which utilize rejection sampling. Unlike other studies which form ILWE instances based on additional information obtained from side-channel attacks, we take a more direct approach to the problem by constructing our ILWE instance from only the obtained signatures. We outline and introduce novel techniques in our simulation designs such as modular polynomial arithmetic via matrices in , as well as algorithms for handling large sample sizes efficiently. Our experimental results reinforce the proclaimed security of signature schemes based on ILWE. We additionally discuss the implications of our work and digital signatures as a whole in regards to real-world applications such as in Intelligent Transportation Systems (ITS).

Paper Structure

This paper contains 22 sections, 1 theorem, 23 equations, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Organization of This Paper
  4. Preliminaries
  5. Notation
  6. Short Integer Solution Problem
  7. Learning With Errors Problem
  8. Attacks on ILWE via Least Squares
  9. Attacks on ILWE via Singular Value Decomposition
  10. Rejection Sampling and Digital Signatures
  11. CRYSTALS-Dilithium
  12. BLISS
  13. Implementation Strategies
  14. Arithmetic in $\mathcal{R}$ via Matrices Over $\mathbb{R}$
  15. Handling Large Sample Sizes
  16. ...and 7 more sections

Key Result

Theorem 2.1

Suppose that $\chi_a$ is $\tau_a$-subgaussian and $\chi_e$ is $\tau_e$-subgaussian, and let $(\textup{A},\textup{b} = \textup{A}\textup{s} + \textup{e})$ the data constructed from $m$ samples of the ILWE with $\textup{A}\leftarrow \chi_a^{m\times k}$, $\textup{e} \leftarrow \chi_e^{k}$, and $\textup then the least squares estimator $\hat{\textup{s}} = (\textup{A}^{\top} \textup{A})^{-1} \textup{A}

Figures (7)

  • Figure 1: LSM Attack on ILWE
  • Figure 2: SVD Attack on ILWE
  • Figure 3: Basic Overview of Dilithium's Rejection Sampling Procedure
  • Figure 4: Creating a Random Vector with $\rho$ Entries $\pm 1$.
  • Figure 5: BLISS Signing Algorithm
  • ...and 2 more figures

Theorems & Definitions (7)

  • Definition 2.1: Short Integer Solution (SIS)
  • Definition 2.2: Module Short Integer Solution (MSIS)
  • Definition 2.3: Learning With Errors (LWE)
  • Definition 2.4: Module Learning With Errors (MLWE)
  • Definition 2.5: Integer Learning With Errors (ILWE)
  • Definition 2.6: Subgaussian Variable
  • Theorem 2.1: adapted from bootle