#### Abstract

In the emerging Internet of Things (IoT), lightweight public key cryptography plays an essential role in security and privacy protection. With the approach of quantum computing era, it is important to design and evaluate lightweight quantum-resistant cryptographic algorithms applicable to IoT. LWE-based cryptography is a widely used and well-studied family of postquantum cryptographic constructions whose hardness is based on worst-case lattice problems. To make LWE friendly to resource-constrained IoT devices, a variant of LWE, named Compact-LWE, was proposed and used to design lightweight cryptographic schemes. In this paper, we study the so-called Compact-LWE problem and clarify that under certain parameter settings it can be solved in polynomial time. As a consequence, our result leads to a practical attack against an instantiated scheme based on Compact-LWE proposed by Liu et al. in 2017.

#### 1. Introduction

The Internet is changing from a network of conventional computers to a network of smart objects, that is, “things,” including vehicles, electronics, implantable medical devices, and sensors. The trend of Internet of Things (IoT) makes the Internet more ubiquitous, but it simultaneously brings a series of challenges, such as monitoring [1], communication [2], and management [3]. Among all these challenges, security [4–6] is currently listed as a top concern. As the theoretical basis, cryptographic algorithms play a key role in achieving data confidentiality and integrity, authentication, and other security needs in IoT.

Currently, RSA and ECC cryptosystems have been implemented efficiently on resource-constrained devices [7, 8], which provides desirable security for IoT applications. However, these public key schemes are based on integer factorization or discrete logarithms, which are fragile under quantum cryptanalysis. To defense quantum attacks, NIST has launched the postquantum cryptography standardization. Lattice-based cryptography is viewed as a very promising postquantum alternative to classical cryptography due to its strong security guarantee, great performance and powerful functionality. It is becoming increasingly important to design and evaluate practical schemes based on well-studied lattice problems.

The* Learning With Errors* (LWE) problem, introduced by Regev [9], is one of the most popular lattice problems for cryptographic applications [10–13]. An LWE instance consists of a random matrix and a vector , where the secret and the error are sampled from a certain distribution. The decision LWE problem is to distinguish the distribution of LWE instances from the uniform distribution over , while the search version is to recover the secret from LWE instances. In [9], the average-case LWE is proved as hard as certain worst-case lattice problems, which provides a solid theoretical grounding for LWE-based schemes.

However, LWE-based schemes are usually not efficient in practice. It seems infeasible to apply regular LWE-based cryptographic constructions to IoT directly, due to the constrained computing environments of smart devices. Thus it is critical to refine existing algorithms or develop new LWE-based cryptographic schemes for security protection using limited resources. So far, there are mainly two optimization strategies: (1) introducing extra algebraic structures and (2) reducing the sizes of matrix or vector elements. Following the first one, some LWE variants, such as Ring-LWE [14] and Module-LWE [15], were developed and led to many practical schemes [16–18] and efficient implementations [19, 20]. Following the second strategy, some variants were proposed as well, including LWE with short secret or error [21–23] and LWE with compact matrix [24, 25]. Then, related cryptanalyses [26–29] provided concrete security estimations for the schemes based on these variants.

A recent instantiation of LWE-based encryption scheme with particularly aggressive parameter was proposed by Liu et al. [25] and presented as an invited talk at ACISP 2017 conference. The scheme is based on the so-called Compact-LWE and designed especially for resource-constrained IoT devices. As shown by experimental results, the scheme indeed achieves an excellent performance on small IoT devices. Subsequently, Bootle and Tibouchi gave a cryptanalysis of this scheme [29] by recovering the nonce in the encryption process with the help of lattice embedding technique. They pointed out that the security level was much lower than [25] claimed.

We took an insight into the Compact-LWE problem, an LWE variant with the random selected from a small range, and discovered that two -ary lattices defined by have reduced bases of special patterns. We proved that the Compact-LWE problem can be solved in polynomial time under certain parameters, which is applied to analyze two concrete lightweight public key schemes proposed in [24, 25], respectively. We failed to attack the scheme of [24] due to its moderate parameters and successfully recovered plaintexts with 100% probability and within a very short time for the encryption scheme in [25]. Compared with the attack against the scheme of [25] in [29], our attack follows a different method and can be used to analyze general cryptographic constructions based on this kind of LWE variant.

The article is organized as follows. In Section 2, we recall some notations and basic facts used in our discussion. In Section 3, we introduce Compact-LWE and present our analysis. We describe a concrete attack against related Compact-LWE-based schemes in Section 4 and conclude in Section 5.

#### 2. Preliminaries

##### 2.1. Notations

For any positive integer , we identify with the set . We denote by the remainder of divided by in and by the remainder in . Let and be the Euclidean inner product and norm, respectively. The elements of are viewed as column vectors. For any point and , we denote by the -dimensional ball of radius centered at .

##### 2.2. Probability and Statistics

Let be a distribution over a discrete domain . We write to represent the random variable that is sampled from the distribution . For a finite domain , we denote by the uniform distribution over .

A function is* negligible*, if for every fixed constant . We generally denote by as a negligible function with respect to . We say that a probability is* overwhelming* if it is , and a probability is* nonnegligible* if it is for some constant .

*Definition 1. *Given a distribution over , we say that is -confidence with respect to , if and for .

The parameter describes an overwhelming confidence interval for with respect to , while describes a nonnegligible confidence interval.

##### 2.3. Lattices

A* lattice * is a discrete additive subgroup of and generated by a set of linearly independent vectors , that is, . We call a* basis* of and write as or . The integer is called the* rank* of . For any unimodular matrix , is also a basis of . The* span* of , denoted by , is the linear space spanned by its basis. The first minimum of a lattice is defined as .

We denote by the* Gram-Schmidt orthogonalization* of where and . The* volume* of is defined as that is an invariant of and independent of the choice of the basis.

The* dual* lattice of is . If is a basis of , it is known that is a basis of . Furthermore, we have the following relation between the Gram-Schmidt orthogonalization of a basis and its dual.

Lemma 2. *Let be an ordered basis of lattice and be its dual basis in reverse order (i.e., where denotes Kronecker delta). Then for .*

Given a lattice and a “reasonable” subset of ,* Gaussian heuristic* says that the number of points in is approximately . From Gaussian heuristic, we would expect that where .

Lattice reduction is a powerful tool for cryptanalysis. LLL, invented by Lenstra et al. [30], is the first polynomial time lattice reduction algorithm. We now recall this classical reduction. For a detailed introduction, we refer to [31].

*Definition 3 (LLL reduced basis). *A basis is a -LLL reduced basis with if the following conditions hold: (1)Size Reduced: for .(2)Lovász Condition: for .

Then we immediately get the following property of LLL reduced bases.

Lemma 4. *Let be a -LLL reduced basis. For any , then where .*

#### 3. Compact-LWE and Its Weak Instances

In this section, we will introduce an LWE variant named Compact-LWE and report on an attack against certain Compact-LWE instances. A formal definition of Compact-LWE is given as follows.

*Definition 5. *Let be positive integers and be a distribution over . Given , the Compact- problem is to recover from where and .

Compared with classical LWE, the sizes of elements of , namely , can be less than the modulus . Thanks to this modification, Compact-LWE-based schemes are of smaller public key sizes and better efficiency than original LWE-based schemes. Thus Compact-LWE seems friendly to lightweight cryptography and constrained devices.

##### 3.1. Structures of -Ary Lattices in Compact-LWE

We introduce two -dimensional -ary lattices which are widely used in the cryptanalysis of LWE. The first lattice, denoted by , is generated by the columns of and and defined as The second lattice is formed by all integer vectors “orthogonal” (modulo ) to the columns of , which is

As shown in [10], these two lattices are duals scaled by a factor:

By running LLL algorithm with input , one can obtain a basis of . For in the compact setting, the LLL reduced basis is of a special structure.

Lemma 6. *Let where and . Let be the basis of obtained by running LLL with parameter on . Under Gaussian heuristic, then, for , *(1)* and for ;*(2)* for .*

*Proof. *Let be the homomorphism mapping to . It can be verified that is injective, then we have Together with (4), it follows that Let denote the projection to the orthogonal complement of . Considering the projected lattice generated by , the dimension of is . Combined with (6), we have Since , it follows that By Gaussian heuristic, we have that A straightforward computation leads to that . It is known that the maximum of the Gram-Schmidt norms would never increase in LLL algorithm. Thus, Lovász condition always holds for the th and th vectors during LLL, which means that these two vectors would never be swapped. In other words, running LLL on is equivalent to running LLL on and , respectively. Consequently, we have and for .

For the second inequality, Lemma 4 yields that because . We now complete the proof.

*Remark 7. *Experimental results coincide with Lemma 6. Under parameter settings , we generated instances for each ranging from to . Figure 1 illustrates the average profile of , where the first ’s are relatively short when is small. We notice that the slope of is less than the theoretical bound , which can be explained by the better performance of LLL in practice than the theoretical prediction. Figure 2 shows the gap between and , which is narrowing as increases. It is worth noting that when (the bound in Lemma 6 marked by the dashed line), the gap is quite significant.

Lemma 8. *Let and . Let and . There exists a basis of , denoted by , satisfying the following conditions under Gaussian heuristic: *(1)*,*(2)* for ,*(3)* for ,** where . This basis can be obtained in polynomial time.*

*Proof. *Let be the LLL reduced basis of defined in Lemma 6 where . Let be a matrix such that . Then, from (4), is a basis of . Let where .

Let . We claim that . It is easy to observe that where . On one hand, we have since . On the other hand, for arbitrary , there exists a unique vector pair such that . Since , we have and then . Therefore, it holds that .

We run size reduction algorithm on (vectors of in reverse order) and obtain a new basis of , denoted by . Size reduction can be done within polynomial time; thus it suffices to prove the last two conditions hold for . From Lemmas 2 and 6, we have that, for , and then Let where is the projection to the orthogonal complement of . Observing that and for , together with Lemma 6, we have On the basis of Gaussian heuristic, we conclude that, for , We now complete the proof.

*Remark 9. *We ran experiments under parameters and tested instances for each ranging from to . Figure 3 provides a geometric intuition of . There also exists a large gap between and when is small. As illustrated in Figure 4, the gap between and is shrinking as grows. However, when (marked by the dashed line), the length of is far less than .

##### 3.2. Attack Against Weak Compact-LWE Instances

Figure 1 illustrates a staircase-shaped profile of the basis of . Exploiting this feature, we can prove that it is possible to efficiently recover a candidate error whose norm is close to that of the original error for certain parameters. The following lemma will be used in the later discussion.

Lemma 10. *Let be a lattice of rank and be a basis of . Let and . If , then there exists a unique vector in .*

*Proof. *We denote by the vector output by Babai’s nearest plane algorithm [32] on the lattice and target vector . Assume, by contradiction, that is another vector in and . Let be the largest index such that . According to the process of Babai’s algorithm, we conclude that which implies a contradiction.

Next we demonstrate a class of provably weak instances of Compact-LWE and also an attack aiming at them.

Theorem 11. *Let be positive integers satisfying and where for and a constant . Let be a -confidence distribution. Under Gaussian heuristic, there exists a probabilistic polynomial time algorithm solving Compact-.*

*Proof. *Given a random sample , we can obtain a basis of , denoted by , by applying LLL algorithm with parameter on . Exploiting Babai’s algorithm on and target vector , we get a pair of solution . We are to prove that is legal for Compact-LWE, that is, , with nonnegligible probability.

From Lemma 6, we get that for . We denote by the projection to the orthogonal complement of . Let and . Lemma 10 shows that there exists a unique vector in , namely, . Then we have Since is -confidence, it implies that with nonnegligible probability. Thus the probability of is nonnegligible.

*Remark 12. *In such weak instances, it can be verified that and thus parameters are overstretched [33, 34]. The inequalities given in Lemma 6 follow the worst-case result of LLL, but LLL behaves much better in practice. Hence our attack may apply to more Compact-LWE instances. Moreover, note that, for usual LWE distribution such as discrete Gaussian, it is easy to set such that is -confidence.

#### 4. Attack against Compact-LWE-Based Schemes

In this section, our analysis of Section 3 is applied to attack concrete Compact-LWE-based lightweight encryption schemes. We successfully recover the plaintexts in IoT-oriented public key encryption proposed by Liu et al. in [25] following a totally different way with [29]. However, we fail to give an effective cryptanalysis of the binary LWE-based lightweight encryption in [24].

##### 4.1. Liu et al.’s Compact-LWE-Based Scheme

Firstly, we briefly recall the public key encryption in [25]. The scheme is specified by a tuple of public parameters satisfying We list below three main algorithms: key generation , encryption , and decryption . (i): sample , and choose from satisfying and are pairwise coprime. Sample and . Let such that . Output as the secret key and as the public key.(ii): uniformly and independently sample , and calculate where is the th row of . Let , output as the ciphertext.(iii): calculate and then calculate . Let be the multiplicative inverse of modulo . Output the plaintext .

In [25], the authors also proposed concrete parameters to instantiate the scheme. The parameters are listed as follows:(i)Public parameters: (ii)Secret parameters: where or .

##### 4.2. Attack against Liu et al.’s Scheme

According to the average profile of bases shown in Lemmas 6 and 8 under the parameters (see Figures 5 and 6) as suggested in [25], it seems that Liu et al.’s scheme is fragile. We propose a new attack against Liu et al.’s scheme with the help of our analysis towards Compact-LWE in Section 3.

Our attack consists of two steps:* guessing the mask coefficient * and* recovering the plaintext*. In the first step, one can almost determine the pair (sometimes together with several possible candidate pairs) by enumerating and checking. In the second step, combined with , one can calculate a pair of legal solution to the Compact-LWE problem and recover the plaintext as well. Now we are to show the details of our attack.

*Step 1 (guessing the mask coefficient ). *Firstly, we prove that it is possible to recover efficiently the secret parameters and only from the public key .

Let be a basis of as described in Lemma 4 with . Let such that ; then we have that Since and is also small when , a routine computation yields that under the parameter setting suggested in [25]. Then it holds that for . We try all possible pairs and check inequality (21) for , respectively; then is viewed as a candidate when it holds for all .

Experiments indicate that this step can indeed determine the unique correct at most times, and output a few candidates (including the correct pair) of the form for small factor at other times. Therefore, by guessing and , we can actually remove the secret scaling factor and transform into a standard Compact-LWE sample.

*Step 2 (recovering the plaintext). *After the previous step, we obtain one or more pairs. Next, we are to show how to recover the plaintext combined with the ciphertext.

Let be the basis of described in Lemma 6. Given a candidate pair of the mask coefficient where is small, let . Running Babai’s algorithm on and target vector , we obtain and let . We observe that the distance from to is at most , and for . Following a similar argument of (16) in Theorem 11, we know that Let such that , then where . Exploiting the substitute secret key , we can decrypt the ciphertext as follows: (1)Calculate .(2)Calculate .(3)Return where .

We now explain why the ciphertext can be decrypted correctly by above algorithm. It can be checked that . Noticing that is well-bounded and some coordinates of could be negative, we may assert that with a high probability. Thus the term can be recovered (as ) correctly, which implies that is the plaintext.

Experiments show that the plaintext can indeed be recovered, even if for some . When is large, the norm of may exceed the upper bound , which implies that is a wrong guess. Therefore, we may eliminate some wrong guesses of further in this step. Moreover, one may also try more middle terms such as during the “decryption” to ensure that the correct value of is not missed. However, from our experimental results, we observe that trying only one is enough to recover the plaintext in practice.

*Experimental Results*. We implemented our attack using the NTL library [35]. All experiments were run on a single core of a 3.40 GHz Core i7-4930K PC.

We follow the parameter setting suggested in [25]: the public parameters and the secret parameters . We denote the cases and by and , respectively. For and , we respectively generated random instances and calculated the ciphertexts of random messages for each instance. Then we ran the attack on these ciphertexts. Experimental results are given in Table 1.

As mentioned before, we may obtain several pairs in Step 1. In fact, it suffices to take use of the pair with the minimal to recover the plaintext. This observation leads to an optimization of the attack: one may search in increasing (dictionary) order and move to Step 2 once a candidate is found. Experimental results for optimized attack are given in Table 2.

*Comparison with Bootle and Tibouchi’s Attack*. We note that Bootle and Tibouchi also proposed a practical attack [29] against Liu et al.’s encryption scheme. They deployed the technique of embedding lattices to compute the nonce sequence in encryption process** Enc**(), while we start from a different angle and recover a substitutable tuple of private keys . We hold the view that the insecurity of Liu et al.’s scheme is not only a result of the small value of as claimed in [29], but also the overstretched magnitude relation between the modulus and parameters , , and , which is clarified in Theorem 11.

##### 4.3. Attack against Galbraith’s Scheme

In [24], Galbraith proposed a class of LWE-based encryption for constrained devices with more compact parameters; that is, the public matrix is binary. We tried to attack Galbraith’s scheme exploiting short vectors of as described before, but it was ineffective even for the parameters totally broken in [27]. That is because the modulus in Galbraith’s scheme is not so overstretched. However, the binary public matrix and encryption nonce may still be problematic as suggested in [27].

#### 5. Conclusion

In this paper, we target the variant of LWE called Compact-LWE which may be applied to design IoT-oriented lightweight cryptography. We give an explicit analysis of Compact-LWE and point out some weak instances with extreme compactness and overstretched moduli. As an application of our results, we propose a practical attack against the lightweight public key scheme in [25]. Consequently, we claim that the security estimation in [25] is incorrect.

The fragility of the scheme in [25] comes not only from its small parameters but also from the weak hardness of Compact-LWE. It would be interesting to generally figure out a theoretical hardness relation between Compact-LWE and other lattice problems.

Compact-LWE may be still of some interest under refined parameters. We leave to future work the issues of tradeoff between efficiency and security, in particular the practical parameter selections achieving given security levels for IoT devices.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

The authors thank Léo Ducas and Professor Xiaoyun Wang for helpful discussions and comments. This research was supported by the National Key Research and Development Program of China (Project no. 2017YFA0303903), 973 National Program on Key Basic Research Project of China (Project no. 2013CB834205), and National Natural Science Foundation of China (no. 61502269).