There is a newer version of this record available.

Report Open Access

Report on the Security of LWE: Improved Dual Lattice Attack

MATZOV

Many of the leading post-quantum key exchange and signature schemes rely on the conjectured hardness of the Learning With Errors (LWE) and Learning With Rounding (LWR) problems and their algebraic variants, including 3 of the 6 finalists in NIST’s PQC process. The best known cryptanalysis techniques against these problems are primal and dual lattice attacks, where dual attacks are generally considered less practical.

In this report, we present several algorithmic improvements to the dual lattice attack, which allow it to exceed the efficiency of primal attacks. In the improved attack, we enumerate over more coordinates of the secret and use an improved distinguisher based on FFT. In addition, we incorporate improvements to the estimates of the cost of performing a lattice sieve in the RAM model, reducing the gate-count of random product code decoding and performing less inner product calculations.

Combining these improvements considerably reduces the security levels of Kyber, Saber and Dilithium, the LWE/LWR based finalists, bringing them below the thresholds defined by NIST.

Files (609.9 kB)
Name Size
Report on the Security of LWE.pdf
md5:0c93519628fee1721847f2cd9582c824
609.9 kB Download
8,514
6,054
views
downloads
All versions This version
Views 8,5147,983
Downloads 6,0545,541
Data volume 3.7 GB3.4 GB
Unique views 6,3016,004
Unique downloads 5,1234,847

Share

Cite as