Monday, December 7, 2015

Provably Weak Instances of Ring-LWE Revisited

In Crypto 2015, Elias, Lauter, Ozman and Stange [ELOS15] proposed a successful attack on the decision version of the non-dual Ring-LWE problem over number fields $K$ for two specific families of defining polynomials. Both families have the common feature that the coefficients of the polynomials are dependent on the modulus $q$.

We extended this attack to the search version of Ring-LWE by using that the error distributions in such number fields are very skewed by moving away from the Minkowski space. Particularly, the largest errors either wrap around modulo $q$ (and thus make it impossible to decrypt the secret), or the smallest ones are so negligible that we obtain exact linear equations that reveal the secret. Our attack applies to every modulus up to $q$, and requires less samples.

Let $M$ be the $n \times n$ matrix of the canonical embedding $K \to \mathbb{C}^n$ with respect to the polynomial basis of $K$, and let $N$ be its inverse. The "skewness" of the errors can be nicely described by the singular value decomposition (SVD) of the matrix $N$ and the condition number $k(N) = s_1(N)/s_n(N)$, where $s_1$ and $s_n$ are the biggest and the smallest singular values correspondingly.

Recall that the SVD is given by $N = U \cdot \Sigma \cdot \overline{V}^t$, where $U$, $V$ are unitary matrices and $\Sigma$ is a diagonal matrix containing the singular values. The image of a unit sphere under $N$ will result in an ellipsoid whose axes are defined by the columns of $U$, with length equal to the corresponding singular value. Hence, the condition number captures how heavily this ellipsoid is deformed.

All vulnerable instances in [ELOS15] are defined by polynomials $f_{n, a, b} = x^n +ax + b$, where $a$ and $b$ are such that  $f(1) = 0 \bmod q$, which is the property that they exploit, but that our attack does not need. If we consider their first family of samples, where $a = 0$ and $b = q - 1$, the SVD of $N$ is of the form $I_{n \times n} \cdot \Sigma \cdot \overline{V}^t$. Thus a spherical error distribution on the Minkowski space with the parameter $\sigma$ induces an elliptical distribution on the number field, where the $i$th coordinate is distributed by a Gaussian with $\sigma_i = s_i(N) \cdot \sigma$. Moreover, the condition number is close to the modulus $q$, that is, the elliptical distribution is stretched along axes whose lengths range roughly from $\sigma_1$ to $q \cdot \sigma_1$. For the second family we did not find such an explicit form of the SVD. Nevertheless, the unitary matrix $U$ remains close to being diagonal (see the heat map below) and the singular values form a near-geometric series again leading to a condition number close to $q$.
It can be easily seen that for both families and for the choices of $\sigma$ made in [ELOS15], the Ring-LWE distribution generates negligible errors in the higher terms of the polynomial basis. More precisely each Ring-LWE sample $(a, b = a \cdot s + e)$ can be written as
\[ M_{a} \cdot (s_0, s_1, \dots, s_{n-1})^t = (b_{0}, b_{1}, \dots, b_{n-1})^t - (e_{0}, e_{1}, \dots, e_{n-1})^t , \]
where $M_{a}$ corresponds to multiplication by $a$. By rounding, the higher error terms are removed and the last equations become exact equations in the coefficients of the secret. If the highest $\left\lceil n/k \right\rceil$ error terms round to zero then we need only $k$ Ring-LWE samples to reveal the secret (for these concrete examples 10 samples amply suffice).

The corresponding paper will appear soon on the Eprint.

Wouter Castryck, Ilia Iliashenko and Fre Vercauteren.

No comments:

Post a Comment