Paper 2022/1750

Assessing the Impact of a Variant of the Latest Dual Attack

Kevin Carrier, CY Cergy-Paris Université
Charles Meyer-Hilfiger, Inria de Paris
Yixin Shen, Inria Rennes
Jean-Pierre Tillich, Inria de Paris
Abstract

The dual attacks on the Learning With Errors (LWE) problem are currently a subject of controversy. In particular, the results of [Matzov,2022], which claim to significantly lower the security level of CRYSTALS-Kyber, a lattice-based cryptosystem currently being standardized by NIST, are not widely accepted. The analysis behind their attack depends on a series of assumptions that, in certain scenarios, have been shown to contradict established theorems or well-tested heuristics [Ducas,Pulles,CRYPTO2023]. In this paper, we introduce a new dual lattice attack on LWE, drawing from ideas in coding theory. Our approach revisits the dual attack proposed by [Matzov,2022], replacing modulus switching with an efficient decoding algorithm. This decoding is achieved by generalizing polar codes over $\mathbb{Z}_{q}$, and we confirm their strong distortion properties through benchmarks. This modification enables a reduction from small-LWE to plain-LWE, with a notable decrease in the secret dimension. Additionally, we replace the enumeration step in the attack by assuming the secret is zero for the portion being enumerated, iterating this assumption over various choices for the enumeration part. We make an analysis of our attack without using the flawed independence assumptions used in [Matzov,2022] and we fully back up our analysis with experimental evidences. Lastly, we assess the complexity of our attack on CRYSTALS-Kyber; showing that the security levels for Kyber-512/768/1024 are 3.5/11.9/12.3 bits below the NIST requirements (143/207/272 bits) in the same nearest-neighbor cost model as in the Kyber submission. All in all the cost of our attack matches and even slightly beat in some cases the complexities originally claimed by the attack of [Matzov,2022].

Note: This new version of the paper represents a substantial revision of the 2022 version. In particular, we present a new analysis of our dual lattice attack. Unlike our earlier version, the current analysis does not rely on independence assumptions that have recently been challenged in the work of Ducas and Pulles (CRYPTO 2023). Instead, we adopt an approach that has been validated experimentally, particularly to assess the potential issue of the error floor phenomenon, which may arise in our setting.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Latticedual attackscodes
Contact author(s)
kevin carrier @ cyu fr
charles meyer-hilfiger @ inria fr
yixin shen @ inria fr
jean-pierre tillich @ inria fr
History
2025-04-14: revised
2022-12-20: received
See all versions
Short URL
https://ia.cr/2022/1750
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1750,
      author = {Kevin Carrier and Charles Meyer-Hilfiger and Yixin Shen and Jean-Pierre Tillich},
      title = {Assessing the Impact of a Variant of the Latest Dual Attack},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1750},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1750}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.