Benchmarking Attacks on Learning with Errors

Abstract: Lattice cryptography schemes based on the learning with errors (LWE) hardness assumption have been standardized by NIST for use as post-quantum cryptosystems, and by HomomorphicEncryption.org for encrypted compute on sensitive data. Thus, understanding their concrete security is critical. Most work on LWE security focuses on theoretical estimates of attack performance, which is important but may overlook attack nuances arising in real-world implementations. The sole existing concrete benchmarking effort, the Darmstadt Lattice Challenge, does not include benchmarks relevant to the standardized LWE parameter choices - such as small secret and small error distributions, and Ring-LWE (RLWE) and Module-LWE (MLWE) variants. To improve our understanding of concrete LWE security, we provide the first benchmarks for LWE secret recovery on standardized parameters, for small and low-weight (sparse) secrets. We evaluate four LWE attacks in these settings to serve as a baseline: the Search-LWE attacks uSVP, SALSA, and Cool & Cruel, and the Decision-LWE attack: Dual Hybrid Meet-in-the-Middle (MitM). We extend the SALSA and Cool & Cruel attacks in significant ways, and implement and scale up MitM attacks for the first time. For example, we recover hamming weight $9-11$ binomial secrets for KYBER ($\kappa=2$) parameters in $28-36$ hours with SALSA and Cool&Cruel, while we find that MitM can solve Decision-LWE instances for hamming weights up to $4$ in under an hour for Kyber parameters, while uSVP attacks do not recover any secrets after running for more than $1100$ hours. We also compare concrete performance against theoretical estimates. Finally, we open source the code to enable future research.

• The paper demonstrates that practical benchmarks of LWE attacks reveal significant gaps between theoretical expectations and real-world performance.
• It evaluates four attack methods—uSVP, ML-based, Cool & Cruel, and Dual Hybrid MiTM—highlighting their respective strengths and limitations.
• The results underscore the need for advanced lattice reduction techniques and refined cost models to improve LWE-based cryptosystem security.

An Evaluation of Concrete Benchmarks for LWE Attacks

The paper "Benchmarking Attacks on Learning with Errors" addresses the crucial need for empirical benchmarks of attacks on lattice-based cryptosystems, particularly those relying on the Learning with Errors (LWE) problem. As LWE-based schemes such as CRYSTALS-KYBER have been standardized by NIST for post-quantum security, understanding their real-world security is pivotal. While theoretical analyses of LWE’s hardness abound, this paper uniquely emphasizes the concrete benchmarking of various LWE attack strategies against standardized parameter settings. This hands-on approach highlights discrepancies between theoretical predictions and practical attack execution, offering invaluable insights into the feasibility and efficiency of current cryptanalytic technologies.

Evaluation of LWE Attacks and Innovations

The paper evaluates four distinct attack methods: the unique Shortest Vector Problem (uSVP) attack, machine learning-based attacks, the Cool & Cruel attack, and the Dual Hybrid Meet-in-the-Middle (MiTM) attack. The study benchmarks these attacks under real-world settings where LWE is actually deployed, including MLWE settings used in CRYSTALS-KYBER and RLWE settings used in Homomorphic Encryption (HE) applications.

1. Attack Implementations and Observations

• uSVP Attack: Tested using enumeration-based lattice reduction. Despite attempts, it does not recover secrets efficiently within feasible computational limits, validating theoretical predictions of its impracticality for high-dimensional instances.
• ML and Cool & Cruel Attacks: Demonstrated practical successes, particularly the Cool & Cruel method, which leverages patterns in reduced LWE samples to recover secrets. Enhanced machine learning methodologies were developed to recover non-binary secrets using novel data preprocessing and a “slope distinguisher” technique.
• Dual Hybrid MiTM Attack: Successfully applied to Decision-LWE problems, with the paper achieving the first known implementation on high-dimensional LWE, though secret recovery was limited to cases where memory usage allowed.

Results and Analysis

The benchmarks reveal that while the Cool & Cruel and ML attacks can recover secrets with moderate Hamming weights in controlled settings, the Dual Hybrid MiTM and uSVP are less accommodating under practical conditions due to exponential memory and time requirements. The uSVP attack, for instance, aligns with theoretical predictions in showing impracticality for feasible execution, thus confirming its theoretical exclusion from real-world settings at large scale. In contrast, the Dual Hybrid MiTM provides efficient decision problem solutions, benefiting from improvements in lattice reduction techniques.

Discrepancies and Practical Implications

The disparity between theoretical estimates and practical execution times, particularly identified during the MiTM implementations, underscores the necessity for enhanced lattice reduction algorithms and refined cost models. Complementarily, the significance of using cryptographically sound random number generators was unveiled, reinforcing best practice guidelines for cryptographic data preparation.

Future Directions

The paper’s open-sourcing of attack implementations and benchmarks serves an open invitation for further exploration and refinement by the cryptographic research community. Future work may explore:

• Advanced lattice reduction strategies to expedite the preprocessing phases of these attacks.
• A more precise bridging of theoretical cost models with experimental outcomes for better predictive accuracy.
• Broadening the spectrum of evaluated LWE attacks, including Bounded Distance Decoding and primal hybrid attacks, enriching the comparative landscape of LWE attack efficacy.

This effort significantly advances the empirical understanding of LWE’s resilience against concrete attacks, fostering the development of more secure post-quantum cryptosystems through collaborative and communal validation.