Post-Quantum Cryptanalysis of Lattice-based and Code-based Cryptosystems

Qian Guo∗† , Thomas Johansson∗ , Erik Mårtensson∗ and Paul Stankovski∗

∗ Departmentof Electrical and Information Technology, Lund University, Sweden
Email: {qian.guo, thomas.johansson, erik.martensson, paul.stankovski}@eit.lth.se

† Selmer Center, Department of Informatics, University of Bergen, Norway

Email: qian.guo@uib.no

Abstract—Using large-scale quantum computers Shor’s algo- 2. The McEliece Cryptosystem

rithm solves both the integer factoring problem and the dis-
crete logarithm problem in polynomial time. To prepare for the The McEliece public-key cryptosystem is based on cod-
future new public-key cryptosystems, based on the difficulty ing theory and was introduced by Robert McEliece in 1978
of other mathematical problems, such as the Learning With [14]. Figure 1 shows a simplified picture of how McEliece
Errors problem (LWE) and the problem of decoding a random works. Alice has a binary-coded, secret message m1 and
linear code, have been created. The difficulty of these systems multiplies it with a public generator matrix G of a binary,
are not as well understood. Thus it is vital for cryptanalysts linear code to create a codeword. She then intentionally adds
to develop techniques to try to break them. This extended an error vector e to the codeword and sends it to Bob over
abstract introduces recent work in this area from our group an insecure channel. Eve can read the encrypted message,
and discusses possible future research directions. but the problem of correcting the errors e is computationally
infeasible. However, Bob has access to the secret structure
of the parity-check matrix H, which makes decoding the
1. Introduction errors e easy.

Post-quantum cryptography, the area of cryptography in Alice Bob

the presence of quantum computers, is currently a major
topic in the cryptographic community. All practically used m mG mG + e m
G e H
public-key cryptosystems rely on the hardness of solving ei-
ther the integer factorization problem, the discrete logarithm
problem or the elliptic-curve discrete logarithm problem.
Using a large-scale quantum computer all of these problems Eve
can be solved in polynomial time using Shor’s algorithm
[17]. Figure 1. A simplified picture of the McEliece public-key cryptosystem.
Quantum computers also pose a threat towards symmet-
ric cryptography and cryptographic hash functions. Grover’s The McEliece system allows fast encryption and decryp-
algorithm [9]√makes it possible to search an unsorted list of tion, but has the main drawback of a large public key G. In
size n in O( n) time. This can be used to break symmetric the original paper Goppa codes were used, but many other
cryptography and find hash collisions faster. codes have been suggested over the years to try to make
The threats against symmetric cryptography can easily the public key G smaller. One suggesting that leads to a
be fixed by doubling the key length. However, the threats comparably small public key is the QC-MDPC code [15].
against public-key cryptography necessitates the devolop- It uses a parity-check matrix
ment of cryptosystems based on the difficulty of new math-
ematical problems. Currently, post-quantum cryptography H = [H0 |H1 | . . . |Hn0 −1 ], (1)
can be divided up into five areas; lattice-based, code-based
where the Hi submatrices are sparse and circulant.
and hash-based cryptography, multivariate cryptography and
Each Hi can be represented by its first row hi . Thus H
supersingular isogeny cryptography. This extended abstract
can be represented very sparsely. In a similar fashion the
will cover recent work in lattice-based and code-based
corresponding generator matrix G can also be sparsely
cryptanalysis by our group, and also discuss possible future
represented.
research directions.
For a general introduction to post-quantum cryptography 1. Within this text letters in red denote unknown entities. Bold faced
see [6]. letters denote vectors or matrices.
2.1. The Soft Stern Algorithm where he introduced LWE [16]. This makes it probable that
LWE is a genuinly hard problem.
In [4] it was suggested that by using a normal distributed Secondly, it is possible to achieve fully homomorphic
noise, instead of a binary one like in Figure 1, it is possible encryption (FHE) using LWE, which was originally shown
to make G even smaller. In the codeword mG, each 0 is by Gentry in [8]. In other words, it is possible to achieve an
transformed to 1 and each 1 is transformed to -1. Then encryption function E , such that when encrypting messages
Gaussian noise with a certain standard deviation σ is added m1 and m2 , we have
to the transformed codeword. By looking at each encrypted
E(m1 + m2 ) = E(m1 ) + E(m2 ),

position we can tell whether it is more likely that it corre-
(2)
sponds to a 0 or a 1, by looking at the sign of the value. By E(m1 · m2 ) = E(m1 ) · E(m2 ).
looking at the absolute value we can measure how likely we
are to be correct about the value by looking at the sign. We This makes it possible for us to let an untrusted party
call this soft information and the reliability of the value. make calculations on our encrypted data. This is a very
The most successful algorithms for decoding random desirable property in a cloud computing context.
linear codes with binary errors are all based on Stern’ algo-
rithm [18]. In [10] we developed a Stern-type algorithm that 3.2. Solving LWE using BKW
also took advantage of the reliability values of the encrypted
vector. We showed how it broke the scheme suggested in There are some different possible methods for solving
[4]. In the full version of the paper we will show that the the LWE problem, for a survey see [2]. This abstract will
algorithm has applications in some side-channel attacks and focus on the Blum-Kalai-Wasserman (BKW) algorithm [1],
in coding theory. In both those scenarios essentially the same [7].
decoding problem appears. It starts by guessing the last position in the vector s.
Modify the samples accordingly. Next, find samples that
3. The LWE Problem are equal in the first b positions; z1 = h[a0 , a1 ], si + e1 and
z2 = h[a0 , a2 ], si + e2 . Subtracting them gives a new sample
One problem in lattice-based cryptography is the Learn- z1 −z2 = h[0, a1 − a2 ], si+e1 −e2 . This sample √ has smaller
ing With Errors (LWE) problem, which is also the main dimension, but noise increased by a factor of 2. Repeat
research area of our group. It is a well-known fact in linear this process another a − 1 times to zero out all the positions
algebra that a linear equation system with n variables can be and end up with only error terms.
solved in O(n3 ) time. The LWE problem takes that problem, If the original guess of the last position was correct you
adds small error terms and suddenly ends up being a very end up with a bunch of discrete Gaussian samples with mean
challenging problem. Let us define the problem. 0 and standard deviation σ ·2a/2 . Otherwise you end up with
Definition 1 ((Search) LWE). Let n be a positive integer, uniformly random samples. Use a distinguisher to determine
q a prime, and let X be an error distribution selected which is the case.
as the discrete Gaussian distribution on Zq . Fix s to be If the guess was wrong you modifify the original guess
a secret vector in Znq , chosen according to a uniform and repeat the process. If the guess was correct you guess
distribution. Denote by Ls,X the probability distribution the second last position, modify the samples accordingly
on Znq × Zq obtained by choosing a ∈ Znq uniformly at and repeat the process on the remaining positions. Position
random, choosing an error e ∈ Zq according to X and by position you work through the secret vector s.
returning
(a, z) = (a, ha, si + e) 3.3. Previous Improvements of BKW on LWE
in Znq × Zq . The (search) LWE problem is to find the
secret vector s given a fixed number of samples from The first improvement of BKW on LWE was in [3]. The
Ls,X . idea was to take longer steps, by allowing that the positions
in the sample do not get completely reduced to 0. It is still
Here, the discrete Gaussian distribution has a mean 0 possible to distinguish between discrete Gaussian samples
and a standard deviation σ . It works in a way that is similar and uniform samples like above.
to the regular Gaussian distribution, but it outputs integer With this approach the extra√added noise to reduced po-
values. It also wraps its output values such that they lie in sitions increases by a factor of 2 each time new positions
the interval [− q−1 q−1
2 , 2 ]. get reduced. Using this method we end up with a vector
with an unevenly distributed noise in the end.
3.1. Properties of LWE A big improvement came in [12], [13]. The idea was to
reduce the first positions almost to 0 and then gradually be
Before discussing how to solve the LWE problem two less strict with the reduction. Less strict reduction allows for
interesting features about it will be covered. First of all longer and longer steps. This way you end up with an even
there is a reduction from worst-case hard lattice problems to error distribution among the positions. We call this method
average-case LWE, which was showed by Regev in the paper coded-BKW.
3.4. Coded-BKW with Sieving Plain BKW Coded-BKW Coded-BKW with Sieving

The idea in our recent paper on so called Coded-BKW

with sieving [11] is to start with a less strict reduction in
the first step, but then not allow the noise to grow in the
upcoming steps. The algorithm is illustrated in Figure 2.
In step i of the algorithm we map each sample to a list
Li , based on the current ni positions. This is the coded step.
By subtracting two vectors in Li the resulting vector is on
average smaller than B in the current ni positions.
For each list Li we only subtract pairs of vectors that
are on average smaller than B in all the first Ni positions.
This can be achieved by trying all possible pairs of vectors
from Li . However, we do this faster by using lattice sieving
Figure 3. A high level illustration of how the different versions of the BKW
techniques [5]. This is the sieving step. The set of sieved algorithm work.
lists S1 , . . . , SK constitutes the set of samples for the next
step of coded-BKW with sieving.
[16]. These parameters are still considered the most
Ni−1 Ni L1 interesting cryptographically speaking.
ni .
.



1. Coded Step . For the Regev parameters we get the exponential con-
(a1 − a2 )[Ni−1 +1:Ni ]
1. Li

√
< B ni .
. stants in Table 1. For the Regev parameters plain BKW is
√ .
2. s[1:Ni ] < B Ni

LK asymptotically faster than the best lattice reduction algo-
rithm. The previously best algorithm for this setting was
2. Sieving Step
coded-BKW [12], [13]. We improved the complexity ex-
Li Si ponent down to 0.8951. Using a quantum computer and
Grover’s algorithm we further reduce the complexity down
Figure 2. A picture of how one step of coded-BKW with sieving works. to 0.8856.
In Figure 4 we look at which algorithms perform best
A high level picture of what the samples’ a vectors look for different parameter settings. The Arora-Ge algorithm,
like after each step of the different versions of coded-BKW which is best for cs < 0.5 but otherwise worse than BKW
is seen in Figure 3. The height represents the average value or lattice reduction, is excluded from the figure 2 .
of the positions and the width represents the number of The upper subfigure shows the previous situation. For
positions. Using plain BKW, in each step a certain number the Regev parameters coded-BKW and in an area around
of positions get reduced to 0. them coded-BKW was the best algorithm, for other param-
Using coded-BKW the positions do not get completely eter settings lattice reduction algorithms were better.
reduced. The positions corresponding
√ to previously reduced The lower subfigure shows the new situation. Coded-
positions increase by a factor of 2 each time new positions BKW with sieving beats coded-BKW everywhere and also
get reduced. To end up with evenly distributed noise we take beats lattice reduction at some places where that used to be
longer and longer steps and become less and less strict with the best algorithm.
the reduction.
Using coded-BKW with sieving, the sieving step in TABLE 1. A SYMPTOTIC COMPLEXITY FOR THE R EGEV PARAMETERS
coded-BKW with sieving makes sure that the previously re-
duced positions do not increase in magnitude. Thus, initially, Algorithm Complexity exponent (c)
we do not have to reduce the positions as much as in coded- Quantum Coded-BKW with Sieving 0.8856
BKW. However, the sieving process gets more expensive Coded-BKW with Sieving 0.8951
the more positions we work with, and we must therefore Coded-BKW 0.9299
Plain BKW 1.0000
gradually decrease the step size. Lattice reduction 1.1680

3.5. Asymptotics of Coded-BKW with Sieving

Let us introduce some notation to analyze the asymptotic 4. Future Research Directions
behavior of LWE. Let q = ncq and σ = ncs . Then for
most the asymptotics parameter settings the time complexity In the full version of the coded-BKW with sieving algo-
of solving LWE is 2(c+o(1))n , where c is a constant that rithm we further improve the asymptotics of the algorithm.
depends on cq and cs .
2. The case where cs < 0.5 is not so interesting cryptographically be-
Example 1 (The Regev Parameters). Regev suggested using cause Regev’s reduction result from worst-case lattice problems to average-
cq = 2 and cs = 1.5 in his original LWE paper case LWE does no apply [16].
 [4] M. Baldi, P. Santini, and F. Chiaraluce. Soft McEliece: MDPC code-
based McEliece cryptosystems with very compact keys through real-
valued intentional errors. In 2016 IEEE International Symposium on
Information Theory (ISIT), pages 795–799, July 2016.
[5] Anja Becker, Léo Ducas, Nicolas Gama, and Thijs Laarhoven. New
directions in nearest neighbor searching with applications to lat-
tice sieving. In Proceedings of the Twenty-seventh Annual ACM-
SIAM Symposium on Discrete Algorithms, SODA ’16, pages 10–
24, Philadelphia, PA, USA, 2016. Society for Industrial and Applied
Mathematics.
[6] Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen. Post
Quantum Cryptography. Springer Publishing Company, Incorporated,
2008.
[7] Avrim Blum, Adam Kalai, and Hal Wasserman. Noise-tolerant
Learning, the Parity Problem, and the Statistical Query Model. J.
ACM, 50(4):506–519, July 2003.
[8] Craig Gentry. Fully Homomorphic Encryption Using Ideal Lattices.
In Proceedings of the Forty-first Annual ACM Symposium on Theory
of Computing, STOC ’09, pages 169–178, New York, NY, USA, 2009.
ACM.
Figure 4. A comparison between the asymptotic behavior of the best
algorithms for solving the LWE problem for different values of cq and [9] Lov K. Grover. A Fast Quantum Mechanical Algorithm for Database
cs . The different colored areas correspond to where the corresponding Search. In STOC, 1996.
algorithm beats the other algorithms in that subplot. [10] Q. Guo, T. Johansson, E. Mrtensson, and P. Stankovski. Information
Set Decoding with Soft Information and some cryptographic applica-
tions. In 2017 IEEE International Symposium on Information Theory
One research direction is to continue on that path and make (ISIT), pages 1793–1797, June 2017.
even more minor improvements. [11] Qian Guo, Thomas Johansson, Erik Mårtensson, and Paul Stankovski.
More important is to investigate the concrete complexity Coded-bkw with sieving. In Tsuyoshi Takagi and Thomas Peyrin,
of the algorithm. For a concrete instance of the LWE prob- editors, Advances in Cryptology – ASIACRYPT 2017, pages 323–346,
lem, what is the number of bit operations needed to solve Cham, 2017. Springer International Publishing.
the problem? So far, lattice reduction algorithms have been [12] Qian Guo, Thomas Johansson, and Paul Stankovski. Coded-BKW:
better for practically solvable instances of LWE. Optimizing Solving LWE Using Lattice Codes. In Rosario Gennaro and Matthew
Robshaw, editors, Advances in Cryptology – CRYPTO 2015, pages
coded-BKW with sieving to see exactly where the cut-off 23–42, Berlin, Heidelberg, 2015. Springer Berlin Heidelberg.
point is, where the algorithm starts to beat lattice reduction,
[13] Paul Kirchner and Pierre-Alain Fouque. An Improved BKW Al-
is an interesting research direction. gorithm for LWE with Applications to Cryptography and Lattices.
In Rosario Gennaro and Matthew Robshaw, editors, Advances in
Acknowledgments Cryptology – CRYPTO 2015, pages 43–62, Berlin, Heidelberg, 2015.
Springer Berlin Heidelberg.

The group is supported in part by the Swedish Research [14] R.J. Mceliece. A Public-Key Cryptosystem Based on Algebraic
Coding Theory. JPL DSN Progress Report, 44, 05 1978.
Council (Grant No. 2015-04528).
The authors would like to thank the Cryptacus 2018 [15] R. Misoczki, J. P. Tillich, N. Sendrier, and P. S. L. M. Barreto. MDPC-
McEliece: New McEliece variants from Moderate Density Parity-
Training School organizers for their generous grant that Check codes. In 2013 IEEE International Symposium on Information
helped support the partiticipation in the school. Theory, pages 2069–2073, July 2013.
[16] Oded Regev. On Lattices, Learning with Errors, Random Linear
References Codes, and Cryptography. In Proceedings of the Thirty-seventh
Annual ACM Symposium on Theory of Computing, STOC ’05, pages
84–93, New York, NY, USA, 2005. ACM.
[1] Martin Albrecht, Carlos Cid, Jean-Charles Faugre, Robert Fitzpatrick,
and Ludovic Perret. On the Complexity of the BKW Algorithm on [17] Peter Williston Shor. Algorithms for Quantum Computation: Discrete
LWE. Designs, Codes and Cryptography, 74, 02 2015. Logarithms and Factoring. In FOCS, pages 124–134. IEEE Computer
Society, 1994.
[2] Martin Albrecht, Rachel Player, and Sam Scott. On the Concrete
Hardness of Learning with Errors. Journal of Mathematical Cryptol- [18] Jacques Stern. A method for finding codewords of small weight.
ogy, 9, 10 2015. In Gérard Cohen and Jacques Wolfmann, editors, Coding Theory
and Applications, pages 106–113, Berlin, Heidelberg, 1989. Springer
[3] Martin R. Albrecht, Jean-Charles Faugère, Robert Fitzpatrick, and Berlin Heidelberg.
Ludovic Perret. Lazy Modulus Switching for the BKW Algorithm
on LWE. In Hugo Krawczyk, editor, Public-Key Cryptography –
PKC 2014, pages 429–445, Berlin, Heidelberg, 2014. Springer Berlin
Heidelberg.