 We're going to talk about costing the use of BKZ for cryptanalysis in particular for LW. This is work done together with Martin Albrecht, Florian Gottfeldt and Thomas Wunder. Martin and Thomas are also present at this conference. So as an overview, we're going to talk about lattice reduction and cost models. We're going to talk about the experiments that we ran and what experimented and what theoretical results we can draw from them. And what this means for security estimates in particular of concrete proposals for post-quantum secure encryption. And then we're going to give some complete remarks. So lattice reduction cost models. Well the idea is that lattice reduction algorithms are part of the fundamental toolkit for doing cryptanalysis. They've been used for classical schemes like for RSA, but in particular they are very important for lattice based schemes. Because the common strategy is that when we have some encryption scheme, there is some secret that we're trying to protect. And we might be able to construct a lattice that contains that secret and called it as a very short vector of this lattice. And hence being able to find short vectors, for example using lattice reduction, is a way of breaking the scheme. Therefore being able to cause how efficient we are at finding these short vectors is fundamental for choosing secure parameters. And the example is that cost models present literature disagree on the asymptotic cost for lattice reduction. So the first systematic analysis and study of the efficiency of lattice reduction for cryptanalysis goes back to 2008 by Kamen Uyen. They look at BKZ, well they look at a few algorithms, but for our top they look at BKZ and they look at the unique shortest vector problem. And what they do is that they look experimentally at it and they use some statistical analysis of their results in order to extract some asymptotics. What they do is that they extract the necessary condition for being able to recover the unique shortest vector in this lattice, which is usually one that they call the secret. And therefore break the scheme. And I'll break the doll in 2014 then adapt this technique for cryptanalysis of LWB-based schemes in particular. So the idea of the winning condition is that we have lambda, lattice, then we have B. That is the unique shortest vector in this lattice and is of course unique up to sign, because if B is in the lattice also minus B is going to be there. And we have lambda i to be the i's minima. So lambda 1 is the length of the shortest, unique shortest vector in this case, and lambda 2 is the length of the second independent shortest vector and so on. And then we look at the Hermit factor that tells us something about how short is the vector that a certain algorithm is going to be able to recover. And so the idea is that well we have these lattices and these lattices for cryptanalysis they look random. But we know that there is something very short in there, maybe. It depends, maybe it's wrong or maybe not. And so in a sense it should be able, if there was something shorter in there it should be able to be more capable of this. We should be able to distinguish successfully the shortest this thing is with respect to the second shortest vector for example. Because the shortest the first vector the more unusual the most distant from random this lattice is going to be. And so the necessary condition, the winning condition is to look at the gap between the second shortest vector and the first shortest vector. And the largest is gap, the shorter in some sense is the shortest vector. And so the easiest is to solve the problem. And what we observe is that well when we win we win with high probability. If one is able to find a gap, if one has a lattice that has a gap larger than a certain power of the of the Hermite factor for the alloy in the way we're using. And well not the full power but rather some fraction of that power. And what this fraction is, what this total piece is estimated based on experiments. And so you would have our condition one for winning. Then we can pick the number in the case of LW we're going to construct this lattice from LW samples. And we're going to use VKZ with a block size beta to reduce the basis. And so we're going to be able to extract the optimal the smallest number of samples and in particular the smallest beta possible in order to recover the shortest vector. And through the presentation we refer to these as the 2008 model. But then, but then you hope happens. As you have told in 2016 they present a different success condition for always solving a unique SPP problem and they are using VKZ. So their strategy looks at what VKZ is doing at the inner working of VKZ. And also looks at what was the promise of VKZ or in some sense. Or what the geometric assumption says about how good is the basis that VKZ is going to be able to recover. We refer to this model as the 2016 model and to explain how it works we first have to review a little bit about VKZ. So the idea for VKZ is the following. We are given a basis for lattice, the vectors in the basis are called VI. And then we can run the Gram-Schmidt algorithm and extract the Gram-Schmidt vectors corresponding to each VI. So we call VI star and then we have V which is our shortest vector. And we call VI star the orthogonal projections of these vectors with respect to the first I-1 Gram-Schmidt vectors. So the idea is that we could expand a secret vector in the basis and then we would just ignore the first few coefficients in some sense. And what do we do with VKZ? First we run LLL to normalize a little basis basis to get rid of all these linear dependencies and some possible causes for numerical instability. And then we brought the length of the Gram-Schmidt vectors from the basis that we have obtained from LLL. What the geometric assumption says is that after running VKZ the length of the resulting basis is going to be line on the orange line. And so what VKZ does is we have a parameter beta, the block size. So we start by looking at the vectors V1 to be beta and in particular V1 star from V to be beta star. And we look at the lattice or at this vector span. And then we call an oracle that solves exactly the shortest vector problem in this sub-lattice. So what we do is we solve the shortest vector and we find a new vector and so we add it at the basis in first position. We remove any extra linear dependencies and then in a sense we move the block to the right. So we start considering the vectors V2 to be 2 plus beta. And then we raise and repeat. And so what happens is that as the block moves to the right we can see that the quality of the basis or at least the line starts to look a little bit closer to the orange line. And then we get to the very last time that we can call a full block size as we recall. And then we've got to move to the right anymore because there are no more basis vectors to the right. So we just reduce the block size and we keep going. And this is for a VKZ tool and after enough of them what happens is that indeed experimentally the blue line, the length are more or less where they should be. What the geometrics is assumption says that they should be. And so the idea of argumental is okay. We know more or less what the length of the projections of the shortest vectors should be. And in particular they observe that they intersect with the GSA. And so now that we know this and this depends only on delta, on the Hermann factor, on the algorithm and on the lattice instance. Well let's choose a block size that is large enough that the very last full call is going to be including sublactics that contains a projection of the shortest vector that is shorter than the graduate vector that we should be recovering from the basis vector we should be recovering from this call. And so they give this condition that if the projection of the shortest vector is shorter than what the GSA says we should be finding. Then this is a win. And this is a win because we were trying to solve the position of the V that we're trying to decide if we're dealing with a random lattice and so the GSA should hold. Or if we're dealing with a lattice that contains the shortest vector. And so we are finding something that is shorter than what it is. So we know that this is an LW lattice. And instead of trying to solve directly the search problem, so we're trying to recover the shortest vector. Well PKZ what it would do is then find this projection, put it where the black line is and then start and finish, start a new tool. And then at the new tool we are in a situation where our block is going to be containing the projection that we found before. And it's going to be containing a short vector that is shorter than the GSA. And so we should be able to move this ideally a little bit further. So recover a little bit longer projection in a sense. And then we do another tour and another tour and we recover the full short vector. And it should be needed, we should be at least at most the overbeatable tools after we reach the GSA to recover the full vector. And what the idea is that if we compare it, we choose parameters based on the 2008 model or if we choose them based on the winning condition for the 2016 model. And then we decide that secret dimension for LWE and then we estimate what the block size is that we need to solve the problem. The two models disagree asymptotically. In particular the 2008 model costs more expensive strategy than what the 2016 model does. So we decided to experimentally verify what is the accuracy of the 2016 model. So our experiments were given an end-up instance. So we're given the secret dimension, the modular and the standard deviation for the discrete projection. We're assuming discrete projection in this case for error distributions. And then the 2008 model provides us with the number of samples and the block size that we need. And we know based on that, we're told that this and the beta are going to offer us a 10% probability of being able to recover the short vector. So what we do is instead we pick the number of samples and the block size based on the 2016 model and well let's measure how good it is at recovering. So let's measure the recovery rate in this case. But not only that because well that tells us something but what it would be nice to do is since the 2016 model is based on the even working of BKZ it would be nice to monitor what BKZ is doing step by step so we're able to tell okay maybe this is the recovery success but this is also what's happening in the basis. So is this matching the prediction by argument or is this different at all? So we instrumented BKZ to measure exactly what's going on in the basis of what are the projections of B that are being found. And also we did some analysis exactly in the search at the BKZ so we had to slightly modify the implementation of BKZ but still staying in the sort of a standard BKZ world. And in particular we used the performance payments, we used the FPLL library that was instrumental great open source library for doing lattice reduction so if you're into computational math please consider collaborating because it's a great project. So results kind of a huge table. So the idea is that we have the first three columns that are telling us the LW parameters that we used for creating our lattices and then in the middle we have the two columns beta and M2016 that tells us what the 2016 model says are the best block size and the best number of samples that we need to find directed to recover the shortest vector. So what we did is we just had a few 30,000 core hours of it. We ran experiments and we ran experiments for the right number of samples and for the right block size but also for slightly smaller block sizes because based on the intuition of how the 2016 model works if we choose a block size that is too small we should have a much less effective algorithm and so we wanted to see exactly how sensitive everything is. And then we measure in this case the recovery rate and what we have is that the 2008 model was given 10% it was tuned in order to give a 10% recovery rate. Here if we follow the parameters given by the 2016 model we just have around 90, 90 plus percent. I'm sure I cannot just say 90 plus because there is 88.8% but hey, it's pretty good. So what we think is that the experiments agree with the 2016 model. We think that it's not a 100% recovery rate because well the GSA just is heuristic it doesn't really hold at the end of the basis and you know it's just a... We are working with randomized algorithms but it looks like very convincing evidence but there are two unexpected behaviors. And so the first one is that based on how the model comes up with the... how we come up with the model or how it came up with the model we should be recovering this projection of the secret vector at the last full block. So if the dimension of the lattice is d and we are counting indices from 1 then we should be finding this when we are starting the block that starts at d minus beta plus 1 and we should recover the short vector. And what happens is that we block the probability of recovering d i star based on i and when we are planning to recover this projection a little bit to the left. And so this could be an issue but maybe not because what happens at this is something that we observe for very small... small parameter sets. And what happens is that when we plot again the GSA and we plot the expected length of the projections of the secret vector there is not one intersection, there are two intersections there. So what's happening is that we're running BDZ and then we are not in a good position enough to recover maybe the projection of length beta in a sense. But when we get to the end of the basis we start reducing the block size and we reduce it and in the last few steps it may be gamma and gamma may be a number like 3 or 4 so very small block size. But there maybe we have an intersection and maybe we have the projection of this short projection that is shorter than what the GSA says. So we recover that short projection. And then in the next turn we have the blue full block size and we move and we arrive beta plus gamma from the left indices and now we have this projection and we have again the condition holding and so we recover this shorter projection and we recover it a little bit to the left from what we thought we would recover it. But the good news is that well this could lead us to think that maybe oh maybe we can just use a smaller block size because first we recover this short projection and then we move a little bit to the left and we recover what we wanted to recover. We don't. Actually it's not possible, the double intersection we don't observe it for cryptographically chosen parameter sets for LW and in particular it just depends on the GSA expected length so it should be quite easy even if it were to happen for some scheme to just get rid of it with the small tweaks for the parameter set so that should be not a problem. And the second unexpected observation is that we thought that we would recover in chunks this be we would recover with one tool, we would recover a projection and then in the next turn another part another longer projection and so on but we happen to measure that after we find the first projection there is immediately in BKZ2 a cold to LLL and that cold to LLL in particular a sub cold to size reduction the whole secret vector exactly we don't need the over beta tools but we just need one tool well the tool where we recover the projection the first time and to explain this after measuring it happens all the time we model the state of the basis as the state of the basis after we recover the first projection we use the GSA and lemma happens and lemma says that if we're using block size larger than 40 which is absolutely to be expected for group analysis then size reduction is going to recover the full short vector from the projection with overwhelming probability and so there we see it from 0.9 to 1 1 minus negligible I guess probability of recovering the short vector so this is fine this is not something outside of the model and so nice let's let's recall the lattice reaction for solving the SVP so we had the 2016 winning condition to the LLL estimator by Albert Clay and Scott and we run it against some proposed schemes proposed with the parameter sets as of the time of the submission so 2017 may what we did is we just changed the number of samples and the block size that we're choosing we're not changing how every submission of submission paper or I guess submission for many of them uses a proposal is the cost strategy so if they use seeding for the oracle then we see how they consider we use an invitation one call we use and call it we use a billion calls to the oracle just keep the strategy we change only the number of LLL samples and block size and here is an example and there are more in the paper so we got the LISAR which is probably the encryption Tesla for signatures and seed for fully homomorphic encryption and what we see is that in the case of LISAR and Tesla the 2016 model costs will find in a short vector cheaper than what the proposed estimates were LISAR since then addresses issue but as of 2017 the difference was 50 bits which is quite impressive but then for Tesla it's not so we guess that probably there are many ways of getting 120 bits of security on LWD depending on the module and error so since then Joseph might be more sensitive than others in the case of SIL this doesn't happen they had a really constant against the dual attack by Albrecht 2017 and in that case we don't get any better any less security but we narrowed the gap that there was between the primal attack and the dual attack in that case so in conclusion we confirmed the value of the 2016 model that we used for costing lattice reduction and also this means that some lattice based schemes might need reparameterization if they don't consider this model to be great but it's not a big issue the reparameterization is usually quite cheap in terms of efficiency so it's not a problem and it was a thing that double intersection observation and the fact that it was an artifact of the experiments a questionnaire about extrapolating asymptotics for small experiments also in the case of the 2008 model what Albrecht did do is run experiments for block size around 20 and that's way too small to choose to make estimates about the asymptotic behavior of the scheme that's all I wanted to say, thank you very much all right is there still a difference between the primal and the primal attack? so it depends how one instantiates the primal attack if can you hear me? if I speak over here yeah we hear you, no problem so if one instantiates the primal attack against schemes that use small or smallest part secret using cannon embedding there is a difference because the secret might be shorter in a sense than the error vector but one can use biogalery embedding one of the embedding lattice in order to recover results my very personal impression is that the reason why the primal attack with the 2016 model also matches still dual attack is maybe exactly because of that because the CTA algorithm is using this part short secret structure and forgetting this resource for C we do need to use biogalery embedding and the scaling of the secret to obtain the same efficiency so there is a difference I think based on the embedding lattice but I wouldn't know in general maybe there is something there any questions? will you be using these methods for this competition? not personally I have a suspicion that some people in our team do other questions ok so there is that speaker