2023-08-09
Does the Dual-Sieve attack on Learning with Errors even work?
Publication
Publication
Guo and Johansson (ASIACRYPT 2021), and MATZOV (tech. report 2022) have independently claimed improved attacks against various NIST lattice candidates by adding a Fast Fourier Transform (FFT) trick on top of the so-called Dual-Sieve attack. Recently, there was more follow up work in this line adding new practical improvements. However, from a theoretical perspective, all of these works are painfully specific to Learning with Errors, while the principle of the Dual-Sieve attack is more general (Laarhoven & Walter, CT-RSA 2021). More critically, all of these works are based on heuristics that have received very little theoretical and experimental attention. This work attempts to rectify the above deficiencies of the literature. We first propose a generalization of the FFT trick by Guo and Johansson to arbitrary Bounded Distance Decoding instances. This generalization offers a new improvement to the attack. We then theoretically explore the underlying heuristics and show that these are in contradiction with formal, unconditional theorems in some regimes, and with well-tested heuristics in other regimes. The specific instantiations of the recent literature fall into this second regime. We confirm these contradictions with experiments, documenting several phenomena that are not predicted by the analysis, including a “waterfall-floor” phenomenon, reminiscent of Low-Density Parity-Check decoding failures. We conclude that the success probability of the recent Dual-Sieve-FFT attacks are presumably significantly overestimated. We further discuss the adequate way forward towards fixing the attack and its analysis.
Additional Metadata | |
---|---|
, , , , , | |
doi.org/10.1007/978-3-031-38548-3_2 | |
Lecture Notes in Computer Science | |
A Reduction Theory for Codes and Lattices in Cryptography | |
43rd Annual International Cryptology Conference, CRYPTO 2023 | |
Ducas, L., & Pulles, L. (2023). Does the Dual-Sieve attack on Learning with Errors even work?. In Advances in Cryptology (pp. 37–69). doi:10.1007/978-3-031-38548-3_2 |