Learning Plaintext in Galbraith’s LWE Cryptosystem Tikaram Sanyashi, Sreyans Nahata, Rushang Dhanesha and Bernard Menezes Indian Institute of Technology Bombay, Powai, Mumbai, India Keywords: Learning with Errors, Linear Programming, Integer Linear Programming, Galbraith’s Binary LWE. Abstract: Unlike many widely used cryptosytems, Learning with Errors (LWE) - based cryptosystems are known to be invulnerable to quantum computers. Galbraith’s Binary LWE (GB-LWE) was proposed to reduce the large key size of the original LWE scheme by over two orders of magnitude. In GB-LWE, recovering the plaintext from the ciphertext involves solving for the binary vector x in the equation xA = b ( A, a 640 × 256 binary matrix and b, a 256 element integer vector are knowns). Previously, lattice-based attacks on binary matrices larger than 400 × 256 were found to be infeasible. Linear programming was proposed and shown to handle significantly larger matrices but its success rate for 640 × 256 matrices was found to be negligible. Our strategy involves identification of regimes L, M and H within the output (based on LP relaxation) where the mis-prediction rates are low, medium or high respectively. Bits in the output vector are guessed and removed to create and solve a reduced instance. We report extensive experimental results on prediction accuracy and success probability as a function of number of bits removed in L, M and H. We identify trade-offs between lower execution time and greater probability of success. Our success probability is much higher than previous efforts and its execution time of 1 day with 150 cores is a partial response to the challenge posed in (Galbraith, 2013) to solve a random 640 × 256 instance using “current computing facilities in less than a year”. 1 INTRODUCTION Introduced by Regev (Regev, 2005) in 2005, Learning with Errors (LWE) is a problem in machine learning and is as hard to solve as certain worst-case lattice problems. Unlike most widely used cryptographic al- gorithms, it is known to be invulnerable to quantum computers. It is the basis of many cryptographic con- structions including identity-based encryption (Cash et al., 2010), (Agrawal et al., 2010), oblivious transfer protocols (Peikert et al., 2008), homomorphic encryp- tion (Brakerski and Vaikuntanathan, 2014), (Braker- ski et al., 2014) and many more. The LWE cryptosystem performs bit by bit en- cryption. The private key, s, is a vector of length n where each element of s is randomly chosen over Z q , q prime. The corresponding public key has two com- ponents. The first is a random m × n matrix, A, with elements over Z q and with rows denoted a T i . The sec- ond component is a vector, b, of length m where the i th element of b is a T i s + e i (mod q). The e i ’s are drawn from a discretized normal distribution with mean 0 and standard deviation σ. To encrypt a bit, x, a random binary vector (nonce), u, of length m is chosen. This is a per- message ephemeral secret. The ciphertext is ( c 1 , c 2 ) where c T 1 = u T A (mod q) and c 2 = u T b + x⌊q/2⌋ (mod q). A received message is decrypted to 0 or 1 depend- ing on whether c 2 − c 1 s is closer to 0 or ⌊q/2⌋. To thwart various lattice-based attacks, Lindner et al. (Lindner and Peikert, 2011) suggested the values of 256, 640 and 4093 respectively for n, m and q leading to a public key of size approximately 250 Kbytes. This unacceptable storage overhead for resource-constrained devices motivated consideration of binary values in matrix A. Galbraith (Galbraith, 2013) studied a ciphertext- only attack on the GB-LWE scheme to recover the plaintext. Given c 1 = u T A and A, the challenge is to obtain u T . Once u T is known, the plaintext x can be easily computed from c 2 . Because u T is binary, ob- taining its value is equivalent to finding the rows of A that sum to c 1 , i.e. the Vector Subset Sum (VSS) problem. (Galbraith, 2013) studied lattice-based at- tacks on GB-LWE and concluded that such attacks were infeasible for m >400. (Galbraith, 2013) also posed two challenges. The first of these was to be completed on an ordinary PC in one day and involved computing u T given a random 400 × 256 binary matrix A and c T 1 = u T A. The second problem was the same but with a random 640 × 256 binary matrix to be solved in one year with “cur- Sanyashi, T., Nahata, S., Dhanesha, R. and Menezes, B. Learning Plaintext in Galbraith’s LWE Cryptosystem. DOI: 10.5220/0006909405590565 In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 559-565 ISBN: 978-989-758-319-3 Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved 559