Security and Communication Networks

Volume 2018, Article ID 4957045, 9 pages

https://doi.org/10.1155/2018/4957045

## Cryptanalysis of Compact-LWE and Related Lightweight Public Key Encryption

Correspondence should be addressed to Yang Yu; nc.ude.auhgnist.sliam@31y-y

Received 15 December 2017; Revised 14 January 2018; Accepted 28 January 2018; Published 11 March 2018

Academic Editor: Ilsun You

Copyright © 2018 Dianyan Xiao and Yang Yu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

In the emerging Internet of Things (IoT), lightweight public key cryptography plays an essential role in security and privacy protection. With the approach of quantum computing era, it is important to design and evaluate lightweight quantum-resistant cryptographic algorithms applicable to IoT. LWE-based cryptography is a widely used and well-studied family of postquantum cryptographic constructions whose hardness is based on worst-case lattice problems. To make LWE friendly to resource-constrained IoT devices, a variant of LWE, named Compact-LWE, was proposed and used to design lightweight cryptographic schemes. In this paper, we study the so-called Compact-LWE problem and clarify that under certain parameter settings it can be solved in polynomial time. As a consequence, our result leads to a practical attack against an instantiated scheme based on Compact-LWE proposed by Liu et al. in 2017.

#### 1. Introduction

The Internet is changing from a network of conventional computers to a network of smart objects, that is, “things,” including vehicles, electronics, implantable medical devices, and sensors. The trend of Internet of Things (IoT) makes the Internet more ubiquitous, but it simultaneously brings a series of challenges, such as monitoring [1], communication [2], and management [3]. Among all these challenges, security [4–6] is currently listed as a top concern. As the theoretical basis, cryptographic algorithms play a key role in achieving data confidentiality and integrity, authentication, and other security needs in IoT.

Currently, RSA and ECC cryptosystems have been implemented efficiently on resource-constrained devices [7, 8], which provides desirable security for IoT applications. However, these public key schemes are based on integer factorization or discrete logarithms, which are fragile under quantum cryptanalysis. To defense quantum attacks, NIST has launched the postquantum cryptography standardization. Lattice-based cryptography is viewed as a very promising postquantum alternative to classical cryptography due to its strong security guarantee, great performance and powerful functionality. It is becoming increasingly important to design and evaluate practical schemes based on well-studied lattice problems.

The* Learning With Errors* (LWE) problem, introduced by Regev [9], is one of the most popular lattice problems for cryptographic applications [10–13]. An LWE instance consists of a random matrix and a vector , where the secret and the error are sampled from a certain distribution. The decision LWE problem is to distinguish the distribution of LWE instances from the uniform distribution over , while the search version is to recover the secret from LWE instances. In [9], the average-case LWE is proved as hard as certain worst-case lattice problems, which provides a solid theoretical grounding for LWE-based schemes.

However, LWE-based schemes are usually not efficient in practice. It seems infeasible to apply regular LWE-based cryptographic constructions to IoT directly, due to the constrained computing environments of smart devices. Thus it is critical to refine existing algorithms or develop new LWE-based cryptographic schemes for security protection using limited resources. So far, there are mainly two optimization strategies: (1) introducing extra algebraic structures and (2) reducing the sizes of matrix or vector elements. Following the first one, some LWE variants, such as Ring-LWE [14] and Module-LWE [15], were developed and led to many practical schemes [16–18] and efficient implementations [19, 20]. Following the second strategy, some variants were proposed as well, including LWE with short secret or error [21–23] and LWE with compact matrix [24, 25]. Then, related cryptanalyses [26–29] provided concrete security estimations for the schemes based on these variants.

A recent instantiation of LWE-based encryption scheme with particularly aggressive parameter was proposed by Liu et al. [25] and presented as an invited talk at ACISP 2017 conference. The scheme is based on the so-called Compact-LWE and designed especially for resource-constrained IoT devices. As shown by experimental results, the scheme indeed achieves an excellent performance on small IoT devices. Subsequently, Bootle and Tibouchi gave a cryptanalysis of this scheme [29] by recovering the nonce in the encryption process with the help of lattice embedding technique. They pointed out that the security level was much lower than [25] claimed.

We took an insight into the Compact-LWE problem, an LWE variant with the random selected from a small range, and discovered that two -ary lattices defined by have reduced bases of special patterns. We proved that the Compact-LWE problem can be solved in polynomial time under certain parameters, which is applied to analyze two concrete lightweight public key schemes proposed in [24, 25], respectively. We failed to attack the scheme of [24] due to its moderate parameters and successfully recovered plaintexts with 100% probability and within a very short time for the encryption scheme in [25]. Compared with the attack against the scheme of [25] in [29], our attack follows a different method and can be used to analyze general cryptographic constructions based on this kind of LWE variant.

The article is organized as follows. In Section 2, we recall some notations and basic facts used in our discussion. In Section 3, we introduce Compact-LWE and present our analysis. We describe a concrete attack against related Compact-LWE-based schemes in Section 4 and conclude in Section 5.

#### 2. Preliminaries

##### 2.1. Notations

For any positive integer , we identify with the set . We denote by the remainder of divided by in and by the remainder in . Let and be the Euclidean inner product and norm, respectively. The elements of are viewed as column vectors. For any point and , we denote by the -dimensional ball of radius centered at .

##### 2.2. Probability and Statistics

Let be a distribution over a discrete domain . We write to represent the random variable that is sampled from the distribution . For a finite domain , we denote by the uniform distribution over .

A function is* negligible*, if for every fixed constant . We generally denote by as a negligible function with respect to . We say that a probability is* overwhelming* if it is , and a probability is* nonnegligible* if it is for some constant .

*Definition 1. *Given a distribution over , we say that is -confidence with respect to , if and for .

The parameter describes an overwhelming confidence interval for with respect to , while describes a nonnegligible confidence interval.

##### 2.3. Lattices

A* lattice * is a discrete additive subgroup of and generated by a set of linearly independent vectors , that is, . We call a* basis* of and write as or . The integer is called the* rank* of . For any unimodular matrix , is also a basis of . The* span* of , denoted by , is the linear space spanned by its basis. The first minimum of a lattice is defined as .

We denote by the* Gram-Schmidt orthogonalization* of where and . The* volume* of is defined as that is an invariant of and independent of the choice of the basis.

The* dual* lattice of is . If is a basis of , it is known that is a basis of . Furthermore, we have the following relation between the Gram-Schmidt orthogonalization of a basis and its dual.

Lemma 2. *Let be an ordered basis of lattice and be its dual basis in reverse order (i.e., where denotes Kronecker delta). Then for .*

Given a lattice and a “reasonable” subset of ,* Gaussian heuristic* says that the number of points in is approximately . From Gaussian heuristic, we would expect that where .

Lattice reduction is a powerful tool for cryptanalysis. LLL, invented by Lenstra et al. [30], is the first polynomial time lattice reduction algorithm. We now recall this classical reduction. For a detailed introduction, we refer to [31].

*Definition 3 (LLL reduced basis). *A basis is a -LLL reduced basis with if the following conditions hold: (1)Size Reduced: for .(2)Lovász Condition: for .

Then we immediately get the following property of LLL reduced bases.

Lemma 4. *Let be a -LLL reduced basis. For any , then where .*

#### 3. Compact-LWE and Its Weak Instances

In this section, we will introduce an LWE variant named Compact-LWE and report on an attack against certain Compact-LWE instances. A formal definition of Compact-LWE is given as follows.

*Definition 5. *Let be positive integers and be a distribution over . Given , the Compact- problem is to recover from where and .

Compared with classical LWE, the sizes of elements of , namely , can be less than the modulus . Thanks to this modification, Compact-LWE-based schemes are of smaller public key sizes and better efficiency than original LWE-based schemes. Thus Compact-LWE seems friendly to lightweight cryptography and constrained devices.

##### 3.1. Structures of -Ary Lattices in Compact-LWE

We introduce two -dimensional -ary lattices which are widely used in the cryptanalysis of LWE. The first lattice, denoted by , is generated by the columns of and and defined as The second lattice is formed by all integer vectors “orthogonal” (modulo ) to the columns of , which is

As shown in [10], these two lattices are duals scaled by a factor:

By running LLL algorithm with input , one can obtain a basis of . For in the compact setting, the LLL reduced basis is of a special structure.

Lemma 6. *Let where and . Let be the basis of obtained by running LLL with parameter on . Under Gaussian heuristic, then, for , *(1)* and for ;*(2)* for .*

*Proof. *Let be the homomorphism mapping to . It can be verified that is injective, then we have Together with (4), it follows that Let denote the projection to the orthogonal complement of . Considering the projected lattice generated by , the dimension of is . Combined with (6), we have Since , it follows that By Gaussian heuristic, we have that A straightforward computation leads to that . It is known that the maximum of the Gram-Schmidt norms would never increase in LLL algorithm. Thus, Lovász condition always holds for the th and th vectors during LLL, which means that these two vectors would never be swapped. In other words, running LLL on is equivalent to running LLL on and , respectively. Consequently, we have and for .

For the second inequality, Lemma 4 yields that because . We now complete the proof.

*Remark 7. *Experimental results coincide with Lemma 6. Under parameter settings , we generated instances for each ranging from to . Figure 1 illustrates the average profile of , where the first ’s are relatively short when is small. We notice that the slope of is less than the theoretical bound , which can be explained by the better performance of LLL in practice than the theoretical prediction. Figure 2 shows the gap between and , which is narrowing as increases. It is worth noting that when (the bound in Lemma 6 marked by the dashed line), the gap is quite significant.