 Hello everybody, this is Alex May from Royal University Bochum and you are listening to the talk how to meet ternary LWE keys So what do I mean by ternary LWE keys? So we are given a n-dimensional square matrix a and a target vector b and We have the usual LWE identity a times s is b plus e for some unknown s and e where s is the secret and E is the arrow vector and they are both n-dimensional ternary vectors and your goal is to find the n-dimensional ternary secret vector s So many efficient cryptosystems use secrets with this bounded range like our ternary keys And then this talk we will especially address and two versions But there are more versions in the paper like the signature schemes bliss and GLP and for the moment We'll assume that s and e are random ternary vectors Also our results apply to larger fixed ranges like if we add plus minus twos and I will give you an example on the last Slide for the bliss signature schemes and our results also apply to variants such as ring LWE and module LWE which only makes them slightly better But we will ignore these effects throughout this talk and in this talk we will address a very elementary question What is the combinatorial complexity of finding s and by combinatorial complexity and combinatorial algorithms here? I mean meet in the middle Meet in the middle algorithms But before I start with a meet in the middle algorithm, let us address the most simple algorithm namely brute-force algorithm So here we start with the LWE equation a times ssb plus e and now we search in the first step for all ternary s and We check whether a times s minus minus b is actually again a ternary error vector And in this case we output s so graphically that means We are looking among the columns of a for a ternary linear combination Denoted by s which matches the target vector b up to some error vector e And if we denote the search space size for our ternary keys by capital s Which is three to the n then the running time of our algorithm is basically This s which is three to the n and we get a polynomial memory So how we what we do now a meet in the mid meet in the middle algorithm on this So in the meet in the middle we would split a column wise in dimension n. So we would look at the first and Over two columns of a denote by a one and the second And two and we would also split s in dimension and half and and half. So this is depicted on the next slide So here a is written as a one and a two and now we get an identity a One times s one as one being of dimension and half is equal to minus a two times s two plus b up to the unknown error vector e and In an algorithm this would mean we would enumerate all as one now being of dimension and half and ternary and We would construct a list l one with all these candidates as one and the right-hand side at the left-hand side of our equation a One as one which we hash and you will see why we hash in a minute and the same we would do for s two Again being in half dimensional ternary vectors We would enumerate them and the left-hand side minus as a right-hand side I'm sorry minus a two times s two plus b and we would have said So why do we hash? We need that the right-hand side Equals the left-hand side up to our unknown ternary e and this is done by locality sensitive hashing Which was introduced by Otlushko in 97 so the consequence we output all as one and as two Such that they have the same hash value under our locality sense different edge function And you can easily show that the running time is dominated by the list construction Which is because s one and s two now have dimension and half three to the n half which is the square root of the search space But with a drawback that the memory is also the square root of the search space s Okay, so now I will give you a brief introduction into the representation technique Which is actually the key for the further improvements on ternary w e So what is the main idea of the representation technique which was introduced by Hauke Raoult Kramer and you in the context of subset sum Algorithms it said we split s now not in n half Dimensional vectors s one and s two, but we split s as a sum of s one and s two both being Full n-dimensional ternary vectors here. I give you an example. So look at this vector 1 0 minus 1 1 minus 1 and I split it such that both summands as one and s two obtain Exactly one one and one minus one So this is depicted here and you see four representations of s Namely, I can split the first one as a sum as I do in some one and some two of one plus zero or as Zero plus one as I do in some three and four and Similar for the minus one I can write it as a minus one plus zero which I do in some One and four or I could you write it as a sum of zero plus minus one as I do in some three and four Yeah, so this is what I called a representation zero. So basically we represent a The ones ambiguously by putting the ones either in the first summit or in the second summit and the same for the minus ones But notice that for the zero of our s we always write it as zero plus zero Now we could change that and even get more Representations and this is what I call rep one. So we additionally represent the zero s one plus minus one Or minus one plus one and here's an example. So the green zero is now represented as one plus minus one and You can think of more representations by using more digits for s one and s two. So for instance here I use twos so I represent the first one in s as the orange representation two plus a minus one Yeah, this gives us more representations and the drawback is it's harder to enumerate over the s one and s two but the big benefit is that once we have our representations Then it's enough to compute only a one over our fraction of s. So why is that? So let's look at our four representations above no matter which one of these we construct They are all equally good because they all sum to the right target vector s and that's Already the magic of the representation technique which was used heavily to improve subset some type problems and Here you see subset some directly. So in the subset some problem You are given a one up to a n and a target vector t And you have to find a subset of the a i set sums to t modulo two to the n and here you see the algorithm So the simplest algorithm is again improved force with complexity two to the n and then you have meet in the middle two To the n half and once you use representations you can improve over this exponent basically one third for something similar to rep zero before and If you use more complicated representations like rep one or rep two you improve to two nine respectively to eight which was as shown at azure crypt last year and It was also used for decoding So you can consider the famous syndrome decoding problem as a subset some problem Type problem over f2 to the n and then you have prong as algorithm from the 60s Which is a brute-force algorithm and then you have the stern and do more algorithm from the 90s and the ball collision algorithm from Crypto 11 which are basically meet-in-the-middle type algorithms and then you have the mmt algorithm from azure crypt 11 Which you consider a sort of a rep zero algorithm and the bgm m algorithm Which is currently considered to be the best syndrome decoding algorithm from your group 12, which you can see that basically as a rep one algorithm now since these Representations were also fruitful for the subsides subsides some type problems and since ternary lwe is also kind of a subset some problem because we have to find ternary linear combination of the columns of a The main idea is to use these representations here as well So this is what we do, but there are two technical caveats. So for ternary lwe It's not exact matching, but we have approximate matching So there's some error that we don't know which is different from subset some we have exact matching to t and also for syndrome decoding and there's another Technical caveat because at least because locality sense a flashing is not homomorphic and that caused some problems But I don't want to go into these details But instead I want to show you now the main idea of our new algorithm, which is called meet lwe for ternary lwe keys So we want to use representation So we use a full-size splitting of s s s 1 plus s 2 both being n-dimensional vectors So we get an identity a times s 1 is Minus a times s 2 plus b plus the error vector and the idea is now to check this identity on n minus coordinates Approximately and on our coordinates exactly and for these our coordinates We have to know the our coordinates of the error vector e which are denoted here by e r So let's look have a look at the algorithm meet lwe So in the first step you choose your preferred representation Rep 0 1 or 2 And then there's a loop that guesses the r coordinates of e denoted by e r And for every guess of e r You now enumerate again all s 1 within your representation and the left hand side A times s 1 and for all s 2 you enumerate the right hand side minus a s 2 plus b And then you output all sums as 1 plus s 2 such that the Meet in the meet in the middle identity As 1 is equal to minus a s 2 plus b plus e r is exactly fulfilled on our coordinates And it's approximately fulfilled on the remaining n minus coordinates And this approximate fulfillness you again check up via otlish goes locality sensitive hash function So the correctness of this algorithm should be now somehow clear to you But what about the running time of this algorithm because here we have a loop where we guess our coordinates of e And this might be a very bad idea. So let's look at this So the running time of our meet Meet l w e algorithm is actually denoted by capital t and it's 3 to the r because this is the guessing part for guessing r coordinates of e times for every of these guesses we have to do a list construction and some matching But recall that in the representation technique we have to construct only a 1 over r fraction of the search space Where capital r is the number of representations that we have and the right choice here in this identity 1 Of small r The number of coordinates that we have to guess is the identity q to the small r is equal to capital r And for rep for all our representations 0 1 and 2 We have that's the number of representations big r is bounded by 2 to the o of n And in l w e we usually choose q polynomial and n and all three identities imply now together from the first identity we get that r is lock R to the base q we write it to base 2 and then we plug in for r and q by identities 2 and 3 And this eventually gives us that the number of coordinates that we have to guess small r is slightly sub linear n n And this is good news because our running time Is 3 to the r which is now slightly A sub exponential n n where is the list construction time is fully exponential n n So asymptotically that means that our meat l w e algorithm doesn't suffer too much from The guessing of r coordinates so asymptotically it's actually the list construction time but for concrete Parameters like for entry parameters we Or of course have to take the guessing into an account, but let's start with the asymptotics first So here I give some asymptotics and for real crypto systems like the enter crypto systems Usually we choose secrets of a smaller weight. So for random Oh, let let me first define what the mate is so S has weight omega if s has omega times n non-zero coefficients So for random s you would expect that you have weight 2 over 3 But usually you choose a smaller weight so having a smaller number of plus minus ones in your In your secret and here in the table you see some weights So we start with extremely small weight like 0.12 and then we also have weights in the range 0.38 up to full weight 0.69 And then we can compute the running time T for these weights and you see here for the very small weight we obtain search space to the 0.3 But for the larger weights we have roughly Search space to the 1 over 4 and this gives our theorem So for these large omegas or meat l w e achieves Chiefs asymptotic complexity, which is a force root of the search space It also has memory requirement force roots of the search space, but if you compare for instance to the formally best known combinatorial algorithm Which was at least goes meet in the middle So we had the square root of the search space. So that means our new result Has another square root and we get the force root of the search space, which is already quite impressive And you will see that this also translates to significant speed ups in practice So let's look at some entry parameters and here I have two parameter sets for you So the first parameter sets are from the IEEE standard from 2008 And the second block of parameters is from the current NIST proposal of the entry team From which is currently a final candidate In the standardization process. So you see in the IEEE standard We have very small weights in With weights 0.12 and 0.11 Search space is ranging between 400 bits and something like 800 777 and ours our results Though asymptotically they should be search space To the 0.3 But in practice they are a little bit worse because we have to take the guessing into account But we also compare to lattices and you see here that our combinatorial algorithm actually improves our current lattice estimates that we have for this 2008 standard and you also see That lattices are somewhat more sensitive For increasing the dimension. Yeah, so the gap opens. So for the smallest dimension We have a gap of like five bits whereas for the largest dimension, which is around 1500 We have a gap of over 40 bits of this But you also see if you go to the NIST Parameter sets that our algorithm is very sensitive to the weight So for instance, if you compare the first parameters of IEEE and NIST, then they are almost the same dimension So you get for lattices almost the same Estimate but for our algorithm The estimate is much worse. So it almost doubles the bit complexity here Yeah, so the basic observation is That the hardness comes or the lattices are very sensitive to the dimension whereas our enumeration algorithm is very sensitive to the weight Okay, so let's wrap up so we improved over the ternary lwe lwe meet in the meet algorithm from Otlishko from the square root of the search space to the fourth root of the search space And there's already a quantum version of our algorithm Which achieves the fourth root of the search space and this is joint work with Egi van Hof and Elena Kirchanova from this year's pq crypto Our algorithm improves upon current lattice estimates in the small weight regime, but not in the large weight regime that was proposed by the Entrude and true team which seems to be a good choice. So they kind of anticipated our new algorithm And our algorithm also has potential applications for side channel attacks Where you get an approximation of the secret and you're left with a small weight regime And we show more generalizations in the paper So for instance, we show more time memory trade-offs using parallel collision search And we also give a plus example including non ternary keys with plus minus twos and there we get classically a very promising result. So we also get the fifth root of the search space Which seems that our algorithm generalizes quite well for that But this also brings us to the open problems. So to generalize as to arbitrary max norms and to analysis It seems that we need new mathematical methods Because our methods gets very very messy if you add a new digits for s And there are two more interesting open questions So one is can we close this gap between asymptotics and practical Parameters that comes from guessing of a small r coordinates. Is it really necessary or can we remove that? And last but not least now we have a combinatorial algorithm Which is best for the small weight regime and the lattice reduction algorithm, which is Best for the large weight regime So is there a hybrid algorithm that gives you the best of both worlds? And that's all Thanks a lot for your attention and goodbye