Core Concepts
New statistical attack separates cruel and cool bits in LWE secrets efficiently.
Abstract
The paper introduces a statistical attack on sparse binary LWE secrets, focusing on separating the "cruel" and "cool" bits of the secret through lattice reduction. By leveraging statistical properties, the attack aims to recover the secret efficiently. The study provides concrete results for recovering secrets in different dimensions and highlights vulnerabilities in RLWE instances compared to LWE. The attack methodology involves three stages: initial lattice reduction, brute force recovery of cruel bits, and statistical recovery of cool bits. The performance is evaluated based on concrete experimental results across various parameter settings.
Stats
Table 1 presents parameter settings and timings for successful recovery of sparse binary secrets:
n = 256, log2 q = 12, Hamming Weight = 12, Time = 3,865 seconds
n = 512, log2 q = 28, Hamming Weight = 12, Time = 2,417 seconds
n = 512, log2 q = 41, Hamming Weight = 60, Time = 376 seconds
n = 768, log2 q = 35, Hamming Weight = 12, Time = 1,291 seconds
Quotes
"We can first solve the sub-problem of finding the “cruel” bits of the secret in the early columns."
"Our key observation is that for an LWE instance... produces a reduced matrix A′ with a non-uniform distribution."
"The number of unreduced and reduced columns of A′ depends on the overall lattice reduction quality."