Dual lattice attacks for closest vector problems (with preprocessing)

Laarhoven T, Walter M. 2021. Dual lattice attacks for closest vector problems (with preprocessing). Topics in Cryptology โ€“ CT-RSA 2021. CT-RSA: Cryptographersโ€™ Track at the RSA Conference, LNCS, vol. 12704, 478โ€“502.

Download (ext.)

Conference Paper | Published | English

Scopus indexed
Author
Laarhoven, Thijs; Walter, MichaelISTA
Department
Series Title
LNCS
Abstract
The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells [Laa16b, DLdW19, Laa20, DLvW20], for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may further wonder if the dual attack suffers the same drawbacks, or if it is perhaps a better solution when trying to solve BDD(P). In this work we provide an overview of cost estimates for dual algorithms for solving these โ€œclassicalโ€ closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space 20.293๐‘‘+๐‘œ(๐‘‘) in the single-target model. The distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance (say) 0.99โ‹…๐‘”๐‘‘ from the lattice, has the same complexity in the single-target model, but can be solved in time and space 20.195๐‘‘+๐‘œ(๐‘‘) in the multi-target setting, when given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost estimates for the dual attack in dimensions 50 to 80, which confirm our heuristic assumptions, and show that the hidden order terms in the asymptotic estimates are quite small. Our main take-away message is that the dual attack appears to mirror the approximate Voronoi cell line of work โ€“ whereas using approximate Voronoi cells works well for approximate CVP(P) but scales poorly for BDD(P), the dual approach scales well for BDD(P) instances but performs poorly on approximate CVP(P).
Publishing Year
Date Published
2021-05-11
Proceedings Title
Topics in Cryptology โ€“ CT-RSA 2021
Publisher
Springer Nature
Acknowledgement
The authors thank Sauvik Bhattacharya, Lยดeo Ducas, Rachel Player, and Christine van Vredendaal for early discussions on this topic and on preliminary results. The authors further thank the reviewers of CT-RSA 2021 for their valuable feedback.
Volume
12704
Page
478-502
Conference
CT-RSA: Cryptographersโ€™ Track at the RSA Conference
Conference Location
Virtual Event
Conference Date
2021-05-17 – 2021-05-20
ISSN
eISSN
IST-REx-ID

Cite this

Laarhoven T, Walter M. Dual lattice attacks for closest vector problems (with preprocessing). In: Topics in Cryptology โ€“ CT-RSA 2021. Vol 12704. Springer Nature; 2021:478-502. doi:10.1007/978-3-030-75539-3_20
Laarhoven, T., & Walter, M. (2021). Dual lattice attacks for closest vector problems (with preprocessing). In Topics in Cryptology โ€“ CT-RSA 2021 (Vol. 12704, pp. 478โ€“502). Virtual Event: Springer Nature. https://doi.org/10.1007/978-3-030-75539-3_20
Laarhoven, Thijs, and Michael Walter. โ€œDual Lattice Attacks for Closest Vector Problems (with Preprocessing).โ€ In Topics in Cryptology โ€“ CT-RSA 2021, 12704:478โ€“502. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75539-3_20.
T. Laarhoven and M. Walter, โ€œDual lattice attacks for closest vector problems (with preprocessing),โ€ in Topics in Cryptology โ€“ CT-RSA 2021, Virtual Event, 2021, vol. 12704, pp. 478โ€“502.
Laarhoven T, Walter M. 2021. Dual lattice attacks for closest vector problems (with preprocessing). Topics in Cryptology โ€“ CT-RSA 2021. CT-RSA: Cryptographersโ€™ Track at the RSA Conference, LNCS, vol. 12704, 478โ€“502.
Laarhoven, Thijs, and Michael Walter. โ€œDual Lattice Attacks for Closest Vector Problems (with Preprocessing).โ€ Topics in Cryptology โ€“ CT-RSA 2021, vol. 12704, Springer Nature, 2021, pp. 478โ€“502, doi:10.1007/978-3-030-75539-3_20.
All files available under the following license(s):
Copyright Statement:
This Item is protected by copyright and/or related rights. [...]

Link(s) to Main File(s)
Access Level
OA Open Access

Export

Marked Publications

Open Data ISTA Research Explorer

Search this title in

Google Scholar
ISBN Search