(In)Security of Ring-LWE Under Partial Key Exposure

Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni and Aria Shahverdi

Abstract

We initiate the study of partial key exposure in Ring-LWE (RLWE)-based cryptosystems. Specifically, we (1) Introduce the search and decision Leaky R-LWE assumptions (Leaky R-SLWE, Leaky R-DLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret. (2) Present and implement an efficient key exposure attack that, given certain 1/4-fraction of the coordinates of the NTT transform of the RLWE secret, along with samples from the RLWE distribution, recovers the full RLWE secret for standard parameter settings. (3) Present a search-to-decision reduction for Leaky R-LWE for certain types of key exposure. (4) Propose applications to the security analysis of RLWE-based cryptosystems under partial key exposure.

MSC 2010: 94A60; 68P25; 03G10

1 Introduction

There has been a monumental effort in the cryptographic community to develop “post-quantum” cryptosys-tems that remain secure even in the presence of a quantum adversary. One of the foremost avenues for viable post-quantum public key cryptography is to construct schemes from the Ring-Learning with Error (RLWE) assumption—currently 3 out of 26 of the second round NIST submissions are based on assumptions in the ring setting. RLWE is often preferred in practice over standard LWE due to its algebraic structure, which allows for smaller public keys and more efficient implementations. In the RLWE setting, we typically consider rings of the form Rq:=q[x]/(xn+1), where n is a power of two and q ≡ 1 mod 2n. The (decisional) RLWE problem is then to distinguish (a, b = a · s + e) ∈ Rq × Rq from uniformly random pairs, where s ∈ Rq is a random secret, a ∈ Rq is uniformly random and the error term e ∈ R has small norm. A critical question is whether the additional algebraic structure of the RLWE problem renders it less secure than the standard LWE problem. Interestingly, to the best of our knowledge—for the rings used in practice and practical parameter settings—the best attacks on RLWE are generic and can equally well be applied to standard LWE [28]. In this work, we ask whether improved attacks on RLWE are possible when partial information about the RLWE secret is exposed, though the secret retains high entropy.

The NTT transform.

One key method for speeding up computations in the RLWE setting is usage of the NTT transform (similar to the discrete Fourier transform (DFT), but over finite fields) to allow for faster polynomial multiplication over the ring Rq. Specifically, applying the NTT transform to two polynomials p,pRq resulting in two n-dimensional vectors, p^,p^qn allows for component-wise multiplication and addition, which is highly efficient. In this work, we consider leakage of a fraction of NTT coordinates of the RLWE secret. Since the RLWE secret will typically be stored in NTT form (to facilitate fast computation), [4, 7] leakage of coordinates of the NTT transform is a natural model for partial key exposure attacks.

This work.

The goal of this work is to initiate a study of partial key exposure in RLWE based cryptosystems and explore both positive and negative results in this setting. Specifically, we (1) define search and decision versions of Leaky RLWE assumptions, where the structured leakage occurs on the coordinates of the NTT transform of the RLWE secret; (2) present partial key exposure attacks on RLWE, given 1 /4-fraction of structured leakage on the secret key; (3) present a search to decision reduction for the Leaky RLWE assumptions; and (4) propose applications of the decision version of the assumption to practical RLWE-based cryptosystems.

1.1 Leaky RLWE Assumptions–Search and Decision Versions

We next briefly introduce the search and decision versions of the Leaky RLWE assumptions. For pRq:= q[x]/(xn+1), we denote p^:=NTT(p):=(p(ω1),p(ω3),,p(ω2n1)), where ω is a primitive 2n-th root of unity modulo q, and is guaranteed to exist by choice of prime q, s.t. q ≡ 1 mod 2n. Note that p^ is indexed by the set 2n*.

The search version of the RLWE problem with leakage, denoted Leaky R-SLWE, is parametrized by (n {1,2,4,8,n},S2n ). The goal is to recover the RLWE secret s=NTT1(s^), given samples from the distribution Dreal,n,Ss which outputs (a^,a^s^+e^,[ s^i ]iαmod2nαS), where a, s, and e are as in the standard RLWE assumption (see Appendix A.2 and [26] for the precise definition).

The decision version of the RLWE problem with leakage, denoted Leaky R-DLWE is parametrized by (n{1,2,4,8,n},S2n). The goal is to distinguish the distributions Dreal,n,Ss and Dsim,n,Ss, where Dreal,n,Ss is as above and Dsim,n,Ss outputs a^,u^,[ si^ ]iαmod2nαS ) ss, where u^i=ai^si^+ei^ for iα mod2n, αS and ui^ is chosen uniformly at random from ℤq, otherwise. Note that only the coordinates of u^ corresponding to unleaked positions are required to be indistinguishable from random.

When S={α} consists of a single element, we sometimes abuse notation and write the Leaky-RLWE parameters as (n,α) Leaky-RLWE with parameters (n,S) where S={ α1,α2,,αt }, is equivalent to Leaky-RLWE with parameters (n,S), where S=α11. · S (multiply every element of S by α11 ). It is also not hard to see that leaky search and decision are equally hard when secret s is uniform random from Rq versus drawn from the error distribution (the same reduction for standard RLWE works in our case).

1.2 Our Results

Partial key exposure attacks.

We present attacks on Leaky R-SLWE and test them on various practical parameter settings, such as the NewHope [7] parameter settings as well as the RLWE challenges of Crockett and Peikert [12]. Our attacks demonstrate that Leaky R-SLWE is easy for leakage parameters (n=4,α=1),(n=8,S={1,7}) and (n=8,S={1,15}), under (1) NewHope parameter settings of n = 1024, q = 12289, and x = Ψ 16 (centered binomial distribution of parameter 16); (2) The same parameters above, but with χ=D8 (discrete Gaussian with standard deviation of 8, which has the same standard deviation as Ψ 16), since this is the recommended setting in the case where the adversary gets to see many RLWE samples [3]; (3) For parameters of several of the Crockett and Peikert challenges, including those classified as “very hard.” In all the above cases, we fully recover the RLWE secret with high probability, given the corresponding 1/4-fraction of the positions in the NTT transform of the RLWE secret. See Section 3.2 for details on the experimental results.

A search-to-decision reduction.

Define Tn(n) to be the time required to solve Leaky R-SLWE for dimension n, given positions [ s^i ]iα mod 2n . Assuming search R-LWE without leakage is subexponentially 2Ω(nϵ) -hard for some constant ϵ ≤ 1 and polynomial modulus q, then Tn(n)2Ω(nϵ),1 [1] i.e. there is a constant c such that, for sufficiently large n, Tn(n)2c(nϵ). Also, T1(n)poly(n), since the entire s is leaked. So there is some constant c′ such that, for sufficiently large n, there exists n=n(n){2,4,8,16,,n} such that Tn(n)2c(nϵ) and Tn(n)Tn/2(n)n. [2]

Theorem 1.1

(Informal). Assume n:=n(n)>4,sRq, then:

(1) Dreal,n*,{α}sDsim,n*s,{α} OR

(2) Dreal,n,{ α,(n1)α }sDsim,n,{ α,(n1)α }S OR

(3) Dreal,n,{ α,(2n1)α }sDsim,n*,{ α,(2n1)α }s.

While at first glance it may seem that the conclusions (1), (2), (3) are redundant, in fact they are incomparable; Indeed, conclusion (1) does not imply (2) (resp. (3)), since the adversary in (2) (resp. (3)) is given additional leakage. Conversely, conclusion (2) (resp. (3)) does not imply (1), since the set of NTT coordinates that are indistinguishable from random is smaller in (2).

Note that our experimental results show that for our chosen parameter settings s Dreal,4,{1}sDsim,4,{1}s Dreal,8,{1,7}sDsim,8,{1,7}s and Dreal,8,{1,15}sDsim,8,{1,15}s (since we in fact fully recover the secret in all these cases). This indicates that n* ≠ 4 and, if n*= 8 for our chosen parameter settings (as supported by our experiments), then it must be the case that Dreal,8,{1}sDsim,8,{1}s.

Applications.

The Leaky R-DLWE assumption is a useful tool for analyzing the security of RLWE-based cryptosystems subject to partial key exposure, and guaranteeing a graceful degradation in security. In particular, the Leaky R-DLWE assumption was used to analyze the NewHope protocol of [7] in the ePrint version of this paper [14]. The assumption is applicable to schemes in which the RLWE assumption is used to guarantee that a certain outcome is high-entropy (as opposed to uniform random), such as NewHope without reconciliation [6].

Practicality of our attack.

We note that an attack on Leaky R-SLWE yields an attack on standard search R-LWE by guessing each possible leakage outcome, running the Leaky R-SLWE attack and checking correctness of the recovered secret. Therefore, we believe this line of research is interesting beyond the context of leakage resilience, since if the attack can be made to work successfully for sufficiently low leakage rate (far lower than the 1 /4-leakage rate of our attacks), then one could potentially obtain an improved attack on standard search R-LWE.

We chose to consider partial exposure of the NTT transform of the R- LWEsecret, since in practical schemes the secret key is often stored in the NTT domain and certain types of side-channel attacks allow recovering large portions of the secret key stored in memory. E.g., in their analysis of “cold boot attacks” on NTT cryp-tosystems, Albrecht et al. [4] considered bit-flip rates as low as 0.2%. However, the highly structured leakage required for our attack is unlikely to occur in a practical leakage setting such as a “cold boot attack,” where one expects to recover the values of random locations in memory. We leave open the question of reducing the structure of the leakage in our attack. Specifically, as a starting point it will be interesting to see if our attack can extend to leakage patterns of n′ = 16, |S| = 4 or n′ = 32, |S| = 8, etc. While the leakage rate remains the same (1/4) in each case, these patterns capture leakage that is less and less structured, since at the extreme, one can view leakage of a random 1 /4-fraction of the NTT coordinates as an instance of Leaky R-SLWE with parameters n′ = n and |S| = n/4. [3]

1.3 Comparison with Concurrent Work of Bolboceanu et al. [9]

One of the settings considered by [9] is sampling the RLWE secret from an ideal I ⊆ qR. It is straightforward to see that sampling the RLWE secret uniformly at random from Rq and then leaking the NTT coordinates i such that i = α mod 2n′ is equivalent to sampling the RLWE secret from the ideal I that contains those elements whose NTT transform is 0 in positions i such that i = α mod 2n′.

Nevertheless, our decisional assumption is weaker than the assumption of [9], since [9] require that the entire vector u be indistinguishable from uniform random, whereas we only require that the NTT transform of u is indistinguishable from uniform random at the positions i that are not leaked. Our assumption lends itself to a search-to-decision reduction while the assumption of [9] does not. While [9] do provide a direct security reduction for their decisional assumption, the required standard deviation of the error (in polynomial basis, tweaked and scaled by q) is , ω(q1/nn3/2), which would be far higher than the noise considered in the NewHope and RLWE Challenges settings. In contrast, our assumption can be applied in practical parameter regimes and is sufficient to argue the security of several practical cryptosystems under partial key exposure.

Finally, we compare our attack to that of [9]. For fixed n, q, our attack works for noise regimes that are not covered by the attack of [9]. For example, for NewHope settings of n = 1024, q = 12289, the attack of [9] has success rate at most 1/1000 when the standard deviation of noise distribution is less than 0.00562. [4] In contrast, our attack works (with success ranging from 82/200 to 2/1000) when the standard deviation of the noise is 82.83. [5] Our attack applies only for certain leakage patterns corresponding to certain ideals I, whereas the attack of [9]works for any ideal. The techniques of the two attacks are entirely different. [9] obtain a “good” basis for the ideal via non-uniform advice, perform a change of basis and then use Babai’s roundoff algorithm to solve the resulting BDD instance.We use the algebraic structure of the problem to convert RLWE instances over high dimension into CVP instances over constant dimension n′.We then exactly solve the CVP instances over constant dimension and determine the “high confidence” solutions that are likely to be the correct values of the RLWE error. Assuming all high confidence solutions are correct, we obtain a noiseless system of linear equations w.r.t. the RLWE secret, allowing efficient recovery of the secret.

1.4 Related Work

Leakage-resilient cryptography.

The study of provably secure, leakage-resilient cryptography was introduced by the work of Dziembowski and Pietrzak in [19]. Pietrzak [29] also constructed a leakage-resilient stream-cipher. Brakerski et al. [11] showed how to construct a scheme secure against an attacker who leaks at each time period. There are other works as well considering continual leakage [17, 22]. There are also work on leakage-resilient signature scheme [10, 21, 27].

Leakage-resilience and Lattice-based Cryptography.

Goldwasser et al. [20], and subsequently [2, 16, 18] studied the leakage resilience of standard LWE based cryptosystems in the symmetric and public key settings.

Leakage Resilience of Ring-LWE.

Dachman-Soled et al. [13] considered the leakage resilience of a RLWE-based public key encryption scheme for specific leakage profiles. This was followed by Albrecht et al. [4], they investigated cold boot attacks and compared the number of operations for implementing the attack when the secret key is stored as polynomial coefficients versus when encoding of the secret key using a number theoretic transform (NTT) is stored in memory. Recently, [30] showed that given multiple samples of RLWE instances such that the public key for every instance lies in some specific subring, one can reduce the original RLWE problem to multiple independent RLWE problems over the subring. In this work we do not place any such restriction on the RLWE samples required to mount partial key exposure attack.

2 Preliminaries

For a positive integer n, we denote by [n] the set {0, . . . , n − 1}. We denote vectors in boldface and matrices using capital letters A. For vector x over ℝn or ℂn, define the 2 norm as x2=(i| xi |2)1/2. We write as ‖x‖ for simplicity. We use the notationt(n),p(n) to indicate that adversaries running in time t(n) can distinguish two distributions with probability at most p(n).

We present the background and standard definitions related to lattices, algebraic number theory, RLWE, and NTT transform in Appendix A.

3 Partial Key Exposure Attack on Ring-LWE

3.1 Reconstructing the secret given (α mod 8) leakage

Recall that for pq[x]/(xn+1), the NTT transform, p^, is obtained by evaluating p(x) mod q at the powers ωi for i2n, where ω is a 2n-th primitive root in ℤq. For n{1,2,4,8,,n}, let u=n/n. For α2n, consider puα(x) be the degree u − 1 polynomial that is obtained by taking p(x) modulo (xu(ωα)u) We may assume WLOG that α = 1. We abbreviate notation and write pu, instead of pu1.

We consider attacks in which the adversary learns all coordinates i of s^ such that i ≡ 1 mod 2n′ where n{1,2,4,8,,n}, and aims to recover the RLWE secret s. First, we note that in NTT transform notation the equation a^s^+e^=u^ holds component-wise. Therefore, given leakage on certain coordinates of s^, we can solve for the corresponding coordinates of  e^ We also get to see multiple RLWE samples (which we write in matrix notation–where the Aj matrices are the circulant matrices corresponding to the ring element aj, s)  as (A1,A1s+e1=u1),,(A,As+e=u). Thus, for the j-th RLWE sample we learn all the coordinates e^ij, for i ≡ 1 mod 2n′. Note that the leaked coordinates are the evaluation of the polynomial eu(x) at the ωi for i ≡ 1 mod 2n′. We can then reconstruct the polynomial eu(x) using Lagrange Interpolation.

For i{0,,u1}, the (i + 1)-st coefficient of eu(x), i.e. eu,i is equal to

ei+ωuei+u+ω2uei+2u++ω(n1)uei+(n1)u

The coefficients of e can be partitioned into u groups of size n′, forming independent linear systems, each with n′ variables and one equation. Given only the leakage, the set of feasible secret keys is a cartesian product S1××Su, where for i ∈ [u], the set Si is the set of vectors e¯i:={ ei,ei+u,ei+2u,,ei+(n1)u } that satisfy the i-th linear system:

[ 1ωuω2uω(n1)u ][ eiei+uei+2uei+(n1)u ]T=[ eu,i ]

Since each coordinate of e is drawn independently from χ and since each linear system above has small dimension n′, we can use a brute-force-search to find the most likely solution and calculate its probability.

Given this information, we will carefully choose the solutions ej e¯ij (from all possible sets of solutions [ e¯ij ]j[],i[u] ) that have a high chance of being the correct values of the RLWE error. To obtain a full key recovery attack,we require the following: (1) In total,we must guess at least u number of n′-dimensional solutions, e¯ij, from all the obtained solutions [j [ e¯ij ]j[],i[u]; (2) With high probability all our guesses are correct. Observe that if our guess of some e¯ij is correct, we learn the following linear system of n′ equations and n variables (Aj,is=uj,iej,i), where Aj,i is the submatrix of Aj consisting of the n′ rows i,i+u,i+2u,,i+(n1)u, and uj,i , ej,i are vectors consisting of the i,i+u,i+2u,,i+(n1)u coordinates of uj and ej. So assuming (1) and (2) hold, we learn u noiseless systems of n′ linear equations, each with n = u · n′ number of variables.We then construct a linear system of n variables and n equations, which can be solved to obtain the candidate s.

In order to ensure that (2) holds, we only keep the guess jfor e¯ij when we have “high confidence” that it is the correct solution. The probability of a particular solution e¯ij:=(eij,ei+uj,,ei+(n1)uj), is the ratio of the probability of e¯ij ibeing drawn from the error distribution (which is coordinate-wise independent) over the sum of the probabilities of all solutions. For small dimension n′, this can be computed via a brute-force method. In our case, we keep the highest probability solution when it has probability at least, say 0.98. The probability that all guesses are correct is therefore 0.98u=0.98n/n.

Since computing the exact probability as above is computationally intensive, we develop a heuristic that performs nearly as well and is much faster. Note that finding the “most likely” solution is equivalent to solving a CVP problem over an appropriate n′-dimensional lattice. We then calculate the probability of the solution under the discrete Gaussian and set some threshold . If the probability of the solution is above the threshold we keep it, if not we discard it. Experimentally, we show that by setting the threshold correctly, we can still achieve high confidence. See Figure 1 for the exact settings of the threshold for each setting of parameters. Our experiments also show that (1) also holds given a reasonable number of RLWE samples. See Section 3.2 for a presentation of our experimental results. We describe our attack in cases where the leakage is on all coordinates i such that iα1 mod 2n or iα2 mod 2n′ in Appendix B.1.

Figure 1

Performance of attack against RLWE Challenges [12] and NewHope [7] parameter settings. For each parameter setting, we report the following: min/max and average number of RLWE samples required for successful break, total number of broken instances, and max run-time (in seconds) for successful break. Threshold is set such that the minimal weight solutions to the linear systems given in Section 3 have high confidence with sufficiently high probability.

Complexity of the attack.

We provide the pseudocode for the attack in Appendix D, Figure 3. While our attack works well in practice, we do not provide a formal proof that our attack is polynomial time for a given setting of parameters. Within the loop beginning on line 5, all the steps (or subroutines) shown in Figure 3 can be computed in polynomial time. Note that even step 12 (CVP.closest_vector), which requires solving a CVP instance, can be computed in polynomial time because for the leakage patterns we consider, the dimension of the CVP instance will always be either 4 or 8–a constant, independent of n. However, our analysis does not bound the number of iterations of the loop beginning on line 5. Specifically,we do not analyze how large the variable RLWESamples must be set in order to guarantee that the attack is successful with high probability. Bounding this variable corresponds to bounding the number of RLWE samples needed in order to obtain a sufficient number of “high confidence” solutions. In practice, the number of RLWE samples was always fewer than 200 for all parameter settings. In future work,we plan to compute the expected number of RLWE samples needed to obtain a sufficient number of high confidence solutions for a given parameter setting. Assuming this expected number of samples is polynomial in n, we obtain an expected polynomial time attack.

Figure 2

Description of Attack 1.

Figure 3

Description of Partial Key Exposure Attack from Section 3

3.2 Experimental Results

We first assess the performance of our attack on the RLWE challenges published by Crockett and Peikert [12], with various parameters, ranging from “toy” to “very hard” security levels. For each parameter setting, a cut-and-choose protocol was used by [12] to prove correctness of the challenges: They committed to some number (e.g. N = 32) of independent RLWE instances, a random index i was chosen, and the secret key for all except the i-th instance was revealed. For each of the 31 opened challenges,we simulate the Leaky RLWE experiment and attempt to recover the full secret s using our attack. We next measure the performance of our attack on RLWE instances generated using the dimension, modulus and noise distribution proposed in the original NewHope scheme [7]. These parameters are more conservative than the ones chosen for the later submission to the NIST competition [5]. When multiple RLWE samples are released, bounded error distributions are less secure [3]. We therefore tested our attack in the more difficult setting of Gaussian error, in addition to the original binomial error distribution of [7].

The experiments were run using server with AMD Opteron 6274 processor, with a python script using all the cores with Sage version 8.1.We used fplll [15] library for CVP solver and the source code of all the attacks are available online at [1]. The results of our attacks are summarized in Figure 1.We report the total number of instances we broke and the average number of RLWE samples needed for those instances. To decide whether a solution is kept or discarded, its probability mass under the error distribution χ is calculated and compared to the threshold. The threshold for each parameter setting is set heuristically so that minimal weight solutions passing the threshold are correct with high confidence (see Figure 1 for the exact threshold settings). We tested leakage patterns of (n=4,S={1}),(n=8,S={1,7}) and (n=8,δ={1,15}) –all corresponding to 1/4-fraction leakage—for each parameter setting and were able to break multiple Leaky RLWE instances for every parameter setting/leakage pattern shown in Figure 1. We also report the maximum time it took to break a single instance for each parameter setting in Figure 1. Overall, the maximum amount of time to break a single instance was 6 hours for the hardest instance, i.e. Challenge ID 89.We attempted to launch our attack given only 1/8-fraction of leakage (leakage pattern (n′ = 8, α = 1)), but were only successful for the easiest case, i.e. Challenge ID 1. For, e.g. Challenge ID 89, the attack failed since for 5000 number of linear systems, the maximum confidence of any solution was 0.28, meaning that we expect to recover the secret key with probability at most 0.282048/82470, which is well beyond feasible.

Definition 4.1

(Search RLWE (R-SLWE) with Leakage) The search version of the R-LWE problem with leakage, denoted Leaky RSLWEq,ψ,n,S, is parameterized by (n{1,2,4,8,n},S2n). The experiment chooses sRq uniformly at random, where s=NTT1(s^). The goal of the adversary is to recover s, given independent samples from the distribution Dreal,n,Ss, which outputs (a^,a^s^+e^,[ S^i ]i=αmod2nαS) where a, e are obtained from As,ψ as in standard RLWE (see Definition A.2).

Definition 4.2

(Decision RLWE (R-DLWE) with Leakage) The decision version of the R-LWE problem with leakage, denoted Leaky RDLWEq,ψ,n,S, is parameterized by (n{1,2,4,8,n},δ2n). The experiment chooses s ← Rq uniformly at random, where s=NTT1(s^). The goal of the adversary is to distinguish between independent samples from the distributions Dreal.n.Ss and Dsim,n,Ss, where Dreal.n.Ss is the same as above, and Dsim,n,δs outputs (a^,u^,[ s^i ]iαmod2nαS), where a, e are obtained from As, Ψ as in standard RLWE (see Definition A.2) and

u^i=a^isi^+ei^iαmod2nαS and u^iq

chosen uniformly random, otherwise.

5 Search to Decision Reduction With Leakage

Let the RLWE secret be denoted by s^ and assume WLOG that there exists an adversary that obtains leakage [ s^i ]i1 mod 2n and distinguishes u^=a^s^+e^ from u^, where u^i=a^is^i+e^i for i1 mod 2n′ and otherwise is uniform random [6]. It is not hard to see, using techniques of [23, 24, 25], that this implies an attacker that learns a single index jZȷn,jb mod 2n′ of the RLWE secret, where b1 mod 2n′.We call this the Basic Attack. Due to limited space, we refer readers to Appendix C for description of Basic Attack.

Theorem 5.1

(Existence of Basic Attack). If, for any (n,SZ2n) adversary A running in time t := t(n) distinguishes Dreal,n,Ss from Dsim,n,Ss with probability p := p(n), then there is some index j such that jα mod n for all αS and an attack Basic Attack with parameters (n,S,j,t,p), that learns NTT coordinate s^j with probability 1 − 1/poly(n) and takes time poly(n) · t · 1/p.

Our attack Attack 1 uses the Basic Attack to learn all the values [ S^i ]ibr mod 2n for r[ n/2 ]. Let s^1:=S^. The main idea of Attack 1 is to learn all [ s^i1 ]ibmod2n in the first round, then apply an automorphism to shift the positions i ≡ b2 mod n′ into the positions i ≡ b mod 2n′, resulting in a permuted RLWE secret, denoted s^2. Note that applying the automorphism i1causes the positions S^i1 such that i ≡ b mod n′ to shift into the positions i ≡ 1 mod 2n′. This means that we are now back where we started, and the reduction is now able to provide the required leakage ( on [ s^i2 ]i1mod2n) to the adversary and thus can learn the values of [ s^i2 ]ibmod2n=[ s^i1 ]ib2 mod n′ iin the second iteration, [ s^i3 ]ibmod2n=[ s^i1 ]ib3 modn in the third iteration, etc. We next formalize the necessary properties of the automorphisms.

For i, j2n, let ϕij be the automorphism that maps v^ to v^ such that v(ωl)=v(ωj).ϕij induces a permutation on the elements of v^, denoted ρij. Specifically, ϕij(v^) maps v^ to v^ρij() for i, j, 2n, where ρij()=i1j.

Definition 5.2

A probability distribution ψ:(ζm) is automorphically closed in K if for all i, j ∈ m*,ϕij(ψ)=ψ.

We remark that RLWE error distribution χ is automorphically closed [23].

We formally define Attack 1 in Figure 3 .We next sketch how Attack 1 can be used to complete the proof. For dimenstion n and parameter n{1,2,4,8,n}, let Tn:=Tn(n) be the (non-uniform) time to solve Leaky R-SLWE for dimension n and parameters (n,S={α}={1}), i.e. given positions [ s^i1 ]i1mod2n, with probability 1/2.

Assume subexponential 2Ω(nϵ) hardness of search RLWE without leakage for some constant ϵ ≤ 1 and polynomial modulus q. Then we also have that Tn(n)2Ω(nϵ), and as discussed in the intro, there must exist a constant c′ such that for sufficiently large n, there exists n=n(n){2,4,8,16,,n} such that Tn(n)2c(nϵ) and Tn(n)Tn/2(n)n. The above implies that T(n/2)o(Tn).

Now, if given [ s^i1 ]i1 mod 2n* leakage, there exists a (t(n), p(n))-distinguishing adversary (where t(n)= Tn/poly(n) and p(n)=1/Tn ), then we will show that there is an adversary solving the R-SLWE w.h.p. given positions [ S^i1 ]i1mod2n in time less than Tn, leading to contradiction. We begin by running Attack 1, which takes time at most o(Tn) for our settings of t(n) and p(n). If b2n* is such that for some r[ n/2 ],brn+1 mod2n, then we can combine the reconstructed values of S^i1 from Attack 1 with our knowledge of [ s^i1 ]i1 mod2n* to obtain all values [ S^i1 ]i1modn. This means that we can then run the search attack for 2/n*-fraction of leakage to recover all of s^ in time T(n/2)O(Tn). But then the entire attack for (1 mod 2n*)-leakage can be run in time o(Tn), contradicting the definition of Tn.

For n* > 4, the only cases in which Attack 1 does not recover [ S^j ]in+1mod2n is when b{ n1,2n 1}. For such b, we do not know how to rule out the possibility that given [ s^i ]i1 mod2n, the positions i ≡ b mod 2n*ofu^ do not look random. In this case, however, we argue that given leakage on both [ S^i ]i1 modn, and [ s^i ]ibmodn, all other positions are indistinguishable from random, since otherwise a modified version of Attack 1 can be run. We next state the formal theorem of this section.

Theorem 5.3

Assume n:=n(n)>4, sRq, then:

Dreal,n,{α}St(n),p(n)Dsim,n,{α}S OR

Dreal,n*,{ α,(n*1)α }st(n),p(n)Dsim,n*,{ α,(n*1)α s OR

Dreal,n*,{ α,(2n1)α }St(n),p(n)Dsim,n,{ α,(2n1)α }S.

where, t(n)=Tn/poly(n),p(n)=1/Tn.

Proof. We assume WLOG that α = 1. Assume Dreal,n,{1}s Tn/poly(n),1/TnDsim,ns,{1}. Then this means there must be an adversary A running in time Tn*/poly(n), that distinguishes on index j2n, where j ≡ b mod 2n′ with probability at least 1/Tn.

Case 1: b is such that brn*+1mod2n* for some r[ n/2 ]. In this case, with appropriate setting of poly(n), we can use Attack 1 to recover the positions i such that in+1mod2n (w.h.p.) in time o(Tn). Now we can run the attack that takes as input [ S^i ]i1modn and recovers all of s. By assumption, this attack runs in time T(n/2)O(Tn). Thus, we can to recover the whole s^ (w.h.p. greater than 1/2) in time o(Tn), which is a contradiction.

By properties of the group 2n, where n* is a power of two, for all b2n\{ 1,n1,2n1 }, it is the case that br ≡ n* + 1 mod 2n* for some r[ n/2 ]. Thus, Case 1 holds for all b2n*\{ n1,2n1 }.

Case 2: b = n * − 1. In this case, with appropriate setting of poly(n), we can use Attack 1 to recover the positions i such that in1mod2n (w.h.p.) in time o(Tn). Assume Dreal,ns,1,n1Tn/poly(n),Tn/poly(n)Dsim,ns,1,n1, then there must be some adversary A that distinguishes on index j2n, where jb2n\{ 1,n1 }. We can combine this with the previous attack as follows:

Case 2(a): b2n\{ 1,n1,2n1 } Due to essentially the same argument as before, by appropriately setting poly(n), we can (w.h.p.) learn all [ S^i ]i(b)rmod2n for r ∈ [n*/2] in time o(Tn) and then apply the same argument as above.

Specifically, given the initial leakage [ S^i1 ]i1mod2n, the attack will first learn [ S^i1 ]in1mod2n, then learn [ S^i1 ]ibmod2n, then, for some (j, j′) such that j ≡ b′ mod 2n* and j′ ≡ 1 mod 2n*, apply automorphism ϕii to get s^2, learn [ S^i2 ]in1mod2n, then learn [ S^i2 ]ibmod2n, etc. thus ultimately learning [ S^i ]i(b)rmod2n for r ∈ [n*/2]. At this point, we will have [ S^i ]i1modn and thus can learn all of ^s in additional time T(n/2)o(Tn). iThus, in total the attack takes time o(Tn), leading to contradiction.

Case 2(b): b′ = 2n* − 1. Due to essentially the same argument as before, with appropriate setting of poly(n), we can (w.h.p.) recover the positions i such that i ≡ 2n* − 1 mod 2n* in time o(Tn). The adversary now knows [ S^i ]in1modn. We can thus learn all of ^s in additional time T(n/2)o(Tn). Thus, in total the attack takes time o(Tn), leading to contradiction.

Case 3: b = 2n* − 1. This essentially follows identically to Case 2.  □

Acknowledgement

This work is supported in part by NSF grants #CNS-1840893, #CNS-1453045 (CAREER), by a research partnership award from Cisco and by financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology.

References

[1] Source Code 2019, https://github.com/mathcrypt/RLWE Search in Google Scholar

[2] Adi Akavia, Shafi Goldwasser and Vinod Vaikuntanathan, Simultaneous Hardcore Bits and Cryptography against Memory Attacks, in: TCC 2009 (Omer Reingold, ed.), LNCS 5444, pp. 474–495, Springer, Heidelberg, March 2009. Search in Google Scholar

[3] Martin Albrecht, Carlos Cid, Jean-Charles Faugere, Robert Fitzpatrick and Ludovic Perret, Algebraic algorithms for LWE problems, (2014). Search in Google Scholar

[4] Martin R. Albrecht, Amit Deo and Kenneth G. Paterson, Cold Boot Attacks on Ring and Module LWE Keys Under the NTT, IACR TCHES 2018 (2018), 173–213, https://tches.iacr.org/index.php/TCHES/article/view/7273 Search in Google Scholar

[5] Erdem Alkim, Roberto Avanzi, Joppe Bos, Léo Ducas, Antonio de la Piedra, Thomas Pöppelmann, Peter Schwabe and Douglas Stebila, Newhope: Algorithm specification and supporting documentation. Submission to the NIST Post-Quantum Cryptography Standardization Project, 2017 Search in Google Scholar

[6] Erdem Alkim, Léo Ducas, Thomas Pöppelmann and Peter Schwabe, NewHope without reconciliation Cryptology ePrint Archive, Report 2016/1157, 2016, http://eprint.iacr.org/2016/1157 Search in Google Scholar

[7] Erdem Alkim, Léo Ducas, Thomas Pöppelmann and Peter Schwabe, Post-quantum Key Exchange - A New Hope, in: USENIX Security 2016 (Thorsten Holz and Stefan Savage, eds.), pp. 327–343, USENIX Association, August 2016. Search in Google Scholar

[8] Jacob Alperin-Sheriff and Chris Peikert, Practical Bootstrapping in Quasilinear Time, in: CRYPTO 2013, Part I (Ran Canetti and Juan A. Garay, eds.), LNCS 8042, pp. 1–20, Springer, Heidelberg, August 2013. Search in Google Scholar

[9] Madalina Bolboceanu, Zvika Brakerski, Renen Perlman and Devika Sharma, Order-LWE and the Hardness of Ring-LWE with Entropic Secrets Cryptology ePrint Archive, Report 2018/494, 2018, https://eprint.iacr.org/2018/494 Search in Google Scholar

[10] Elette Boyle, Gil Segev and Daniel Wichs, Fully Leakage-Resilient Signatures, Journal of Cryptology 26 (2013), 513–558. Search in Google Scholar

[11] Zvika Brakerski, Yael Tauman Kalai, Jonathan Katz and Vinod Vaikuntanathan, Overcoming the Hole in the Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage, in: 51st FOCS pp. 501–510, IEEE Computer Society Press, October 2010. Search in Google Scholar

[12] Eric Crockett and Chris Peikert, Challenges for Ring-LWE., IACR Cryptology ePrint Archive 2016 (2016), 782. Search in Google Scholar

[13] Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni and Aria Shahverdi, On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Cryptology ePrint Archive, Report 2017/1127, 2017, https://eprint.iacr.org/2017/1127 Search in Google Scholar

[14] Dana Dachman-Soled, Huijing Gong,Mukul Kulkarni and Aria Shahverdi, Partial Key Exposure in Ring-LWE-Based Cryptosys-tems: Attacks and Resilience Cryptology ePrint Archive, Report 2018/1068, 2018, https://eprint.iacr.org/2018/1068 Search in Google Scholar

[15] The FPLLL development team, fplll, a lattice reduction library Available at https://github.com/fplll/fplll 2016. Search in Google Scholar

[16] Yevgeniy Dodis, Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert and Vinod Vaikuntanathan, Public-Key Encryption Schemes with Auxiliary Inputs, in: TCC 2010 (Daniele Micciancio, ed.), LNCS 5978, pp. 361–381, Springer, Heidelberg, February 2010. Search in Google Scholar

[17] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt and Daniel Wichs, Cryptography against Continuous Memory Attacks, in: 51st FOCS pp. 511–520, IEEE Computer Society Press, October 2010. Search in Google Scholar

[18] Yevgeniy Dodis, Yael Tauman Kalai and Shachar Lovett, On cryptography with auxiliary input, in: 41st ACM STOC (Michael Mitzenmacher, ed.), pp. 621–630, ACM Press, May / June 2009. Search in Google Scholar

[19] Stefan Dziembowski and Krzysztof Pietrzak, Leakage-Resilient Cryptography, in: 49th FOCS pp. 293–302, IEEE Computer Society Press, October 2008. Search in Google Scholar

[20] Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert and Vinod Vaikuntanathan, Robustness of the Learning with Errors Assumption, in: ICS 2010 (Andrew Chi-Chih Yao, ed.), pp. 230–240, Tsinghua University Press, January 2010. Search in Google Scholar

[21] Jonathan Katz and Vinod Vaikuntanathan, Signature Schemes with Bounded Leakage Resilience, in: ASIACRYPT 2009 (Mit-suru Matsui, ed.), LNCS 5912, pp. 703–720, Springer, Heidelberg, December 2009. Search in Google Scholar

[22] Allison B. Lewko, Mark Lewko and Brent Waters, How to leak on key updates, in: 43rd ACM STOC (Lance Fortnow and Salil P. Vadhan, eds.), pp. 725–734, ACM Press, June 2011. Search in Google Scholar

[23] Vadim Lyubashevsky, Search to decision reduction for the learning with errors over rings problem, in: 2011 IEEE Information Theory Workshop, ITW 2011, Paraty, Brazil, October 16-20, 2011 pp. 410–414, 2011. Search in Google Scholar

[24] Vadim Lyubashevsky, Chris Peikert and Oded Regev, On Ideal Lattices and Learning with Errors over Rings, in: EURO-CRYPT 2010 (Henri Gilbert, ed.), LNCS 6110, pp. 1–23, Springer, Heidelberg, May / June 2010. Search in Google Scholar

[25] Vadim Lyubashevsky, Chris Peikert and Oded Regev, On Ideal Lattices and Learning with Errors over Rings, J. ACM 60 (2013), 43:1–43:35. Search in Google Scholar

[26] Vadim Lyubashevsky, Chris Peikert and Oded Regev, A Toolkit for Ring-LWE Cryptography Cryptology ePrint Archive, Report 2013/293, 2013, http://eprint.iacr.org/2013/293 Search in Google Scholar

[27] Tal Malkin, Isamu Teranishi, Yevgeniy Vahlis and Moti Yung, Signatures Resilient to Continual Leakage on Memory and Computation, in: TCC 2011 (Yuval Ishai, ed.), LNCS 6597, pp. 89–106, Springer, Heidelberg, March 2011. Search in Google Scholar

[28] Chris Peikert, How(Not) to Instantiate Ring-LWE, in: SCN 16 (Vassilis Zikas and Roberto De Prisco, eds.), LNCS 9841, pp. 411–430, Springer, Heidelberg, August / September 2016. Search in Google Scholar

[29] Krzysztof Pietrzak, A Leakage-Resilient Mode of Operation, in: EUROCRYPT 2009 (Antoine Joux, ed.), LNCS 5479, pp. 462–482, Springer, Heidelberg, April 2009. Search in Google Scholar

[30] Katherine E. Stange, Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm Cryptology ePrint Archive, Report 2019/183, 2019, https://eprint.iacr.org/2019/183 Search in Google Scholar

A 1 Algebraic Number Theory

For a positive integer m, the mth cyclotomic number field is a field extension K=(ζm) obtained by adjoining an element ζm of order m (i.e. a primitive mth root of unity) to the rationals.

Ring of Integers R and Its Dual R

Let R ⊂ K denote the set of all algebraic integers in number field K defined above. This set forms a ring (under the usual addition and multiplication operations in K), called the ring of integers of K.

An (integral) ideal JR is a non-trivial (i.e. J and J{0}) additive subgroup that is closed under multiplication by R, i,e., raJ for any r ∈ R and aJ.

Definition A.1

For R=[ ζm ], define g=p(1ζp)R, where p runs over all odd primes dividing m. Also, define t=m^gR where m^=m2 if m is even, otherwise m^=m.

The dual ideal R∨ of R is defined as R= t1 , satisfying RRm^1R. The quotient Rq is defined as Rq=R/qR.

A 2 Ring-LWE

We next present the formal definition of the RLWE problem as given in [26].

Definition A.2

(RLWE Distribution) For a “secret" sRq (or just R) and a distribution χ over K, a sample from the RLWE distribution As,χ over Rq×(K/qR) is generated by choosing aRq uniformly at random, choosing e ← χ, and outputting (a,b=as+emodqR).

Definition A.3

(RLWE, Average-Case Decision) The average-case decision version of the RLWE problem, denoted R-DLWEq,χ, is to distinguish with non-negligible advantage between independent samples from As,χ, where sRa is sampled uniformly at random, and the same number of uniformly random and independent samples from Rq×(K/qR)

Theorem A.4

[26, Theorem 2.22] Let K be the mth cyclotomic number field having dimension n=φ(m) and R=OK be its ring of integers. Let α=α(n)>0, and q=q(n)2,q=1modm be a poly(n)-bounded prime such that αqω(logn). Then there is a polynomial-time quantum reduction from O˜(n/α) -approximate SIVP (or SVP) on ideal lattices in K to the problem of solving R-DLWEq,χ given only l samples, where χ is the Gaussian distribution Dξ for ξ=αq(nl/log(nl))1/4.

A Note on the Tweak.

In [8], Alperin-Sheriff and Peikert show that an equivalent “tweaked" form of the Ring-LWE problem can be used in cryptographic applications without loss in security or efficiency. This is convenient since the “tweaked" version does not involve R. The “tweaked" ring-LWE problem can be obtained by implicitly multiplying the noisy products b by the “tweak" factor t, and, as it is explained in [8], tR=R. This yields new values

b=tb=(ts)a+(te)=sa+emodqR,

where a,s=tsRq, and the errors e = t · e come from the “tweaked" error distribution t · χ.

A 3 Number Theoretic Transform (NTT)

Let Rq:=q[x]/xn+1 be the ring of polynomials, with n = 2d for any positive integer d. Also, let m = 2n and q = 1 mod m. For, ω a mth root of unity in ℤq the NTT of polynomial p= i=0n1pixiRq is defined as,

p^=NTT(p):=i=0n1p^ixi

where the NTT coefficients p^i are defined as: p^i= j=0n1pjωj(2i+1).

The function NTT−1 is the inverse of function NTT, defined as

p=NTT1(p^):=i=0n1pixi

where the NTT inverse coefficients pi are defined as: pi=n1 j=0n1pj^ωi(2j+1).

B Attack Algorithm for Other Leakage Patterns

B.1 Reconstructing the secret given (α1, α2 mod n′) leakage

Let euα(x) be the degree u = n /n polynomial that is obtained by taking e(x) modulo xu(ωα)u. We consider two polynomials euα1(x) and euα2(x). We may assume WLOG, α1 = 1.We therefore set α:=α2. For i{0,,u1}, the (i + 1)-st coefficient of eu(x) and euα(x) are as follows, respectively

ei+ωuei+u+ω2uei+2u++ω(n1)uei+(n1)uei+ωαuei+u+ωα2uei+2u++ωα(n1)uei+(n1)u

Similar to the previous attack, we obtain the following constraints on the error, given leakage on the secret key and an RLWE sample,

1ωuω2uω(n1)u1ωαuωα2uωα(n1)ueiei+uei+2uei+(n1)u=eu,ieu,iα

We solve a corresponding CVP instance to find the “most likely” solution, e¯j for ( ei,ei+μ,ei+2μ,, ei+(n1)μ since the “most likely” solution is the one with smallest norm.

Similar to our previous attack, our goal is to carefully choose the answers with “high confidence” such that (1) In total, we must guess at least u number of n′-dimensional solutions, e¯ij, from all the obtained solutions [ e¯ij ]j[],i[u]; (2) With high probability all our guesses are correct. We choose the candidate which has probability of at least, say, 0.95 of being correct solution. The total probability of success for this case is 0.95u=0.95n/n.

Our experiments in section 3.2 again show that we can obtain enough “high” confidence solutions, without requiring too large a number of RLWE instances.

C Description of Basic Attack

In this section, we present the Basic Attack, following the description from [23, 24, 25] and using the fact that NTT coefficients form a CRT representation. We first recall definition of CRT representation in our setting of parameters.

Definition C.1

(CRT Representation) For p ∈ Rq, and ω a mth primitive root of unity in q, CRT representation for p is defined as

CRT(p)=(p(ωj1),,p(ωjn)),

for jim.

It is easy to see that CRT(p)=(p^0,,p^n1).

We first introduce the following definition:

Definition C.2

(Hybrid Leaky RLWE Distribution) For j2n={1,3,,2n1}, a “secret" s ∈ Rq, and a distribution χ over Rq, a sample from the distribution Drealn,Ss,j is generated by choosing (a^,b^)Dreal,n,Ss and outputting (a^,b^+u), where u=(u1,u3,,u2n1)qn with ui, i2n defined as follows: ui is chosen uniformly at random from χq if iα′ mod 2n′ for all αS and ij, ui = 0 otherwise.

Define Drealn,Ss,1:=Dreal,n,Ss. Additionally, notice that Dreal,n,Ss,2n1=Dsim,n,Ss. Thus if, for any (n,δ2n) adversary A running in time t := t(n) distinguishes Dreal.n.SS from Dsim,n,Ss with probability p := p(n), then there is some index j2n such that jα′ mod n for all αS and a distinguisher 𝒟j that is able to distinguish between the distribution Dreal,n,Ss,j2 and Dreal.n,Ss,j with probability at least p /n.

We now show the distinguisher 𝒟j can be used to construct an algorithm that finds the value of S^j. The idea of this algorithm is to try each of the possible values S^j, constructing the samples on inputs from Dreal.n,Ss, so that the samples are distributed according to Dreal,n,Ss if S^j is guessed correctly, and the samples are distributed according to Drealn,Ss,j otherwise. Then using the distinguisher 𝒟j poly(n/p) times for each of the q(= poly(n)) guesses for S^i, we are able to find the correct value of S^j with probability 1 −1/poly(n) in time tpoly(n)1/p.

Next we present the samples construction algorithm that takes a guess g ∈q and transform Dreal,n,Ss to either Dreal, n,Ss,j2 or Dreal,n,Ss,j On each sample (a^,b^)Dreal,n,Ss, it outputs a sample

(a,b)=(a^+v,b^+u+gv),

where u=( u1,u3,,um1) v=(v1,v3,,vm1)qn are chosen as follows: uk is uniform in ℤq if k < j, kα′ mod 2n′ for all αS, and the rest are 0; vk is uniform in ℤq if k = j, and the rest are 0. Note that bj can be written as

bj=a^js^j+e^j+uj+gvj=ajs^j+e^j+uj+(gs^j)vj.

Observe that if g is the correct guess, then (gs^j)vj=0. The distribution of (a , b) is identical to Dreal,n,Ss,j2. If g is a wrong guess, (gsj) is non-zero. Since q is prime, (gs^j)vj is uniform in ℤq. Thus the distribution of (a , b) is identical to Dreal,n,Ss,j.