Cryptanalysis of Compact-LWE and Related Lightweight Public Key Encryption

In the emerging Internet of Things (IoT), lightweight public key cryptography plays an essential role in security and privacy protection. With the approach of quantum computing era, it is important to design and evaluate lightweight quantum-resistant cryptographic algorithms applicable to IoT. LWE-based cryptography is a widely used and well-studied family of postquantum cryptographic constructions whose hardness is based on worst-case lattice problems. To make LWE friendly to resourceconstrained IoT devices, a variant of LWE, named Compact-LWE, was proposed and used to design lightweight cryptographic schemes. In this paper, we study the so-called Compact-LWE problem and clarify that under certain parameter settings it can be solved in polynomial time. As a consequence, our result leads to a practical attack against an instantiated scheme based on Compact-LWE proposed by Liu et al. in 2017.


Introduction
The Internet is changing from a network of conventional computers to a network of smart objects, that is, "things," including vehicles, electronics, implantable medical devices, and sensors.The trend of Internet of Things (IoT) makes the Internet more ubiquitous, but it simultaneously brings a series of challenges, such as monitoring [1], communication [2], and management [3].Among all these challenges, security [4][5][6] is currently listed as a top concern.As the theoretical basis, cryptographic algorithms play a key role in achieving data confidentiality and integrity, authentication, and other security needs in IoT.
Currently, RSA and ECC cryptosystems have been implemented efficiently on resource-constrained devices [7,8], which provides desirable security for IoT applications.However, these public key schemes are based on integer factorization or discrete logarithms, which are fragile under quantum cryptanalysis.To defense quantum attacks, NIST has launched the postquantum cryptography standardization.Lattice-based cryptography is viewed as a very promising postquantum alternative to classical cryptography due to its strong security guarantee, great performance and powerful functionality.It is becoming increasingly important to design and evaluate practical schemes based on well-studied lattice problems.
The Learning With Errors (LWE) problem, introduced by Regev [9], is one of the most popular lattice problems for cryptographic applications [10][11][12][13].An LWE instance consists of a random matrix A ∈ Z ×  and a vector b = As + e mod , where the secret s ∈ Z   and the error e ∈ Z  are sampled from a certain distribution.The decision LWE problem is to distinguish the distribution of LWE instances from the uniform distribution over Z ×  × Z   , while the search version is to recover the secret s from LWE instances.In [9], the average-case LWE is proved as hard as certain worst-case lattice problems, which provides a solid theoretical grounding for LWE-based schemes.
However, LWE-based schemes are usually not efficient in practice.It seems infeasible to apply regular LWE-based cryptographic constructions to IoT directly, due to the constrained computing environments of smart devices.Thus it is critical to refine existing algorithms or develop new LWEbased cryptographic schemes for security protection using limited resources.So far, there are mainly two optimization Security and Communication Networks strategies: (1) introducing extra algebraic structures and (2) reducing the sizes of matrix or vector elements.Following the first one, some LWE variants, such as Ring-LWE [14] and Module-LWE [15], were developed and led to many practical schemes [16][17][18] and efficient implementations [19,20].Following the second strategy, some variants were proposed as well, including LWE with short secret or error [21][22][23] and LWE with compact matrix [24,25].Then, related cryptanalyses [26][27][28][29] provided concrete security estimations for the schemes based on these variants.
A recent instantiation of LWE-based encryption scheme with particularly aggressive parameter was proposed by Liu et al. [25] and presented as an invited talk at ACISP 2017 conference.The scheme is based on the so-called Compact-LWE and designed especially for resource-constrained IoT devices.As shown by experimental results, the scheme indeed achieves an excellent performance on small IoT devices.Subsequently, Bootle and Tibouchi gave a cryptanalysis of this scheme [29] by recovering the nonce in the encryption process with the help of lattice embedding technique.They pointed out that the security level was much lower than [25] claimed.
We took an insight into the Compact-LWE problem, an LWE variant with the random A selected from a small range, and discovered that two -ary lattices defined by A have reduced bases of special patterns.We proved that the Compact-LWE problem can be solved in polynomial time under certain parameters, which is applied to analyze two concrete lightweight public key schemes proposed in [24,25], respectively.We failed to attack the scheme of [24] due to its moderate parameters and successfully recovered plaintexts with 100% probability and within a very short time for the encryption scheme in [25].Compared with the attack against the scheme of [25] in [29], our attack follows a different method and can be used to analyze general cryptographic constructions based on this kind of LWE variant.
The article is organized as follows.In Section 2, we recall some notations and basic facts used in our discussion.In Section 3, we introduce Compact-LWE and present our analysis.We describe a concrete attack against related Compact-LWEbased schemes in Section 4 and conclude in Section 5.

Preliminaries
2.1.Notations.For any positive integer , we identify Z  with the set {0, . . .,  − 1}.We denote by []  the remainder of  divided by  in Z  and by []  the remainder in {−⌈/2⌉, . . .,  − 1 − ⌈/2⌉}.Let ⟨⋅, ⋅⟩ and ‖ ⋅ ‖ be the Euclidean inner product and norm, respectively.The elements of R  are viewed as column vectors.For any point t ∈ R  and  > 0, we denote by B  (t, ) the -dimensional ball of radius  centered at t.

Probability and Statistics.
Let  be a distribution over a discrete domain .We write  ←  to represent the random variable  that is sampled from the distribution .For a finite domain , we denote by () the uniform distribution over .
A function () is negligible, if () = ( − ) for every fixed constant .We generally denote by negl() as a negligible function with respect to .We say that a probability is overwhelming if it is 1 − negl(), and a probability is nonnegligible if it is ( − ) for some constant .Definition 1.Given a distribution  over Q  , we say that  is (, )-confidence with respect to , if Pr[‖‖ ≥ ] ≤ negl() and Pr[‖‖ ≤ ] ≥ 1/poly() for  ← .
The parameter  describes an overwhelming confidence interval for  with respect to , while  describes a nonnegligible confidence interval.Given a lattice L and a "reasonable" subset  of span(L), Gaussian heuristic says that the number of points in  ∩ L is approximately vol()/vol(L).From Gaussian heuristic, we would expect that Lattice reduction is a powerful tool for cryptanalysis.LLL, invented by Lenstra et al. [30], is the first polynomial time lattice reduction algorithm.We now recall this classical reduction.For a detailed introduction, we refer to [31].

Definition 3 (LLL reduced basis). A basis
Then we immediately get the following property of LLL reduced bases.

Compact-LWE and Its Weak Instances
In this section, we will introduce an LWE variant named Compact-LWE and report on an attack against certain Compact-LWE instances.A formal definition of Compact-LWE is given as follows.
Definition 5. Let , , ,  be positive integers and  be a distribution over Z  .Given s ← (Z   ), the Compact-LWE ,,,, problem is to recover s from (A, b = As + e mod ) where A ← (Z ×
Compared with classical LWE, the sizes of elements of A, namely , can be less than the modulus .Thanks to this modification, Compact-LWE-based schemes are of smaller public key sizes and better efficiency than original LWE-based schemes.Thus Compact-LWE seems friendly to lightweight cryptography and constrained devices.

Structures of 𝑞-Ary
Lattices in Compact-LWE.We introduce two -dimensional -ary lattices which are widely used in the cryptanalysis of LWE.The first lattice, denoted by L  (A), is generated by the columns of A and ⋅I  and defined as The second lattice L ⊥  (A) is formed by all integer vectors "orthogonal" (modulo ) to the columns of A, which is As shown in [10], these two lattices are duals scaled by a factor: By running LLL algorithm with input (A | ⋅I  ), one can obtain a basis of L  (A).For A in the compact setting, the LLL reduced basis is of a special structure.(2) ‖b *  ‖ >  −+1 (√) −/(−) for  + 1 ≤  ≤ .
Proof.Let  : Together with (4), it follows that Let  A (⋅) denote the projection to the orthogonal complement of span(A).Considering the projected lattice L  generated by  A ( ⋅ I  ), the dimension of L  is ( − ).Combined with (6), we have By Gaussian heuristic, we have that A straightforward computation leads to that  1 (L  ) ≥ √ ≥ max  =1 ‖a *  ‖.It is known that the maximum of the Gram-Schmidt norms would never increase in LLL algorithm.Thus, Lovász condition always holds for the th and (+1)th vectors during LLL, which means that these two vectors would never be swapped.In other words, running LLL on (A |  ⋅ I  ) is equivalent to running LLL on A and  A ( ⋅ I  ), respectively.Consequently, we have L(b 1 , . . ., b  ) = L(A) and ‖b *  ‖ ≤ max  =1 ‖a *  ‖ ≤ √ for 1 ≤  ≤ .For the second inequality, Lemma 4 yields that because ‖b * +1 ‖ ≥  1 (L  ).We now complete the proof.
Remark 7. Experimental results coincide with Lemma 6.Under parameter settings (, , ) = (2 20 , 300, 120), we generated 20 instances for each  ranging from 2 to 2 18 .Figure 1 illustrates the average profile of B, where the first  b *  's are relatively short when  is small.We notice that the slope of {log 2 ‖b *  ‖}  =+1 is less than the theoretical bound log 2  ≈ 0.2172, which can be explained by the better performance of LLL in practice than the theoretical prediction.Figure 2 shows the gap between ‖b * +1 ‖ and ‖b *  ‖, which is narrowing as  increases.It is worth noting that when  <  /(−) /√ (the bound in Lemma 6 marked by the dashed line), the gap is quite significant.
Proof.Let B = (B 1 | B 2 ) be the LLL reduced basis of L  (A) defined in Lemma 6 where L(B 1 ) = L(A).Let U be a matrix such that U  B = I  .Then, from (4), U is a basis of L ⊥  (A). where On the other hand, for arbitrary k ∈ L ⊥ (B 1 ) ⊆ L ⊥  (A), there exists a unique vector pair We run size reduction algorithm on (u 1 , . . ., u  ) (vectors of U in reverse order) and obtain a new basis of L ⊥  (A), denoted by D = (d 1 , . . ., d  ).Size reduction can be done within polynomial time; thus it suffices to prove the last two conditions hold for D. From Lemmas 2 and 6, we have that, for  = 1, . . .,  − , and then We now complete the proof.
Remark 9. We ran experiments under parameters (, , ) = (2 20 , 300, 120) and tested 20 instances for each  ranging from 2 to 2 18 .Figure 3 provides a geometric intuition of D. There also exists a large gap between ‖d − ‖ and ‖d −+1 ‖ when  is small.As illustrated in Figure 4, the gap between ‖d − ‖ and ‖d −+1 ‖ is shrinking as  grows.However, when  <  −/ /√ (marked by the dashed line), the length of d − is far less than .

Attack Against Weak Compact-LWE Instances. Figure 1 illustrates a staircase-shaped profile of the basis of L 𝑞 (A).
Exploiting this feature, we can prove that it is possible to efficiently recover a candidate error whose norm is close to that of the original error for certain parameters.The following lemma will be used in the later discussion.dist(t, L) ≤  < (1/2) min  =1 ‖b *  ‖, then there exists a unique vector in B(t, ) ∩ L.
Proof.We denote by k = ∑  =1 V  b  the vector output by Babai's nearest plane algorithm [32] on the lattice L and target vector t.Assume, by contradiction, that k  ̸ = k is another vector in B(t, ) ∩ L and k  = ∑  =1 V   b  .Let  be the largest index such that V  ̸ = V   .According to the process of Babai's algorithm, we conclude that which implies a contradiction.
Proof.Given a random sample (A, b = As + e mod ), we can obtain a basis of L  (A), denoted by B, by applying LLL algorithm with parameter  on (A | I  ).Exploiting Babai's algorithm on L  (A) and target vector b, we get a pair of solution (s  , e  ).We are to prove that (s  , e  ) is legal for Compact-LWE, that is, ‖e  ‖ ≤ , with nonnegligible probability.
Remark 12.In such weak instances, it can be verified that and thus parameters are overstretched [33,34].The inequalities given in Lemma 6 follow the worst-case result of LLL, but LLL behaves much better in practice.Hence our attack may apply to more Compact-LWE instances.Moreover, note that, for usual LWE distribution  such as discrete Gaussian, it is easy to set ,  such that  is (, )-confidence.

Attack against Compact-LWE-Based Schemes
In this section, our analysis of Section 3 is applied to attack concrete Compact-LWE-based lightweight encryption schemes.We successfully recover the plaintexts in IoToriented public key encryption proposed by Liu et al. in [25] following a totally different way with [29].However, we fail to give an effective cryptanalysis of the binary LWE-based lightweight encryption in [24].

Liu et al. 's Compact-LWE-Based
Scheme.Firstly, we briefly recall the public key encryption in [25].The scheme is specified by a tuple of public parameters (, , , , , ) satisfying We list below three main algorithms: key generation Gen, encryption Enc(⋅), and decryption Dec(⋅).

Attack against Liu et al. 's Scheme.
According to the average profile of bases shown in Lemmas 6 and 8 under the parameters (, , , ) = (2 32 , 74, 13, 16) (see Figures 5 and 6) as suggested in [25], it seems that Liu et al. 's scheme is fragile.We propose a new attack against Liu et al. 's scheme with the help of our analysis towards Compact-LWE in Section 3.
Our attack consists of two steps: guessing the mask coefficient (, ) and recovering the plaintext.In the first step, one can almost determine the pair (, ) (sometimes together with several possible candidate pairs) by enumerating and checking.In the second step, combined with (, ), one can calculate a pair of legal solution (s  , e  ) to the Compact-LWE problem and recover the plaintext as well.Now we are to show the details of our attack.Step 1 (guessing the mask coefficient (, )).Firstly, we prove that it is possible to recover efficiently the secret parameters  and  only from the public key PK = (A, pk).
(2) Calculate V  = ⌊  ⋅   ⌉  . ( We now explain why the ciphertext can be decrypted correctly by above algorithm.It can be checked that   ⋅   =   ⋅ V +   ∑  =1     mod .Noticing that ‖e  ‖ is well-bounded and some coordinates    of e  could be negative, we may assert that   ⋅ V +   ∑  =1     ∈ (−/2, /2) with a high probability.Thus the term   ⋅ V +   ∑  =1     can be recovered (as V  ) correctly, which implies that V  is the plaintext.
Experiments show that the plaintext can indeed be recovered, even if (  ,   ) = ( ⋅ , ) for some  ̸ = 1.When  is large, the norm of e  may exceed the upper bound √, which implies that (  ,   ) is a wrong guess.Therefore, we may eliminate some wrong guesses of (  ,   ) further in this step.Moreover, one may also try more middle terms such as V  = ⌊  ⋅   ⌉  , ⌊  ⋅   ⌉  ±  during the "decryption" to ensure that the correct value of   ⋅ V +   ∑  =1     is not missed.However, from our experimental results, we observe that trying only one V  = ⌊  ⋅   ⌉  is enough to recover the plaintext in practice.
Experimental Results.We implemented our attack using the NTL library [35].All experiments were run on a single core of a 3.40 GHz Core i7-4930K PC.
As mentioned before, we may obtain several (  ,   ) pairs in Step 1.In fact, it suffices to take use of the pair with the minimal   to recover the plaintext.This observation leads to an optimization of the attack: one may search (  ,   ) in increasing (dictionary) order and move to Step 2 once a candidate is found.Experimental results for optimized attack are given in Table 2.
Comparison with Bootle and Tibouchi's Attack.We note that Bootle and Tibouchi also proposed a practical attack [29] against Liu et al. 's encryption scheme.They deployed the technique of embedding lattices to compute the nonce sequence  1 , . . .,   in encryption process Enc(⋅), while we start from a different angle and recover a substitutable tuple of private keys (  ,   , s  , e  ).We hold the view that the insecurity of Liu et al. 's scheme is not only a result of the small value of  as claimed in [29], but also the overstretched magnitude relation between the modulus  and parameters , , and , which is clarified in Theorem 11.

Attack against
Galbraith's Scheme.In [24], Galbraith proposed a class of LWE-based encryption for constrained devices with more compact parameters; that is, the public matrix A is binary.We tried to attack Galbraith's scheme exploiting short vectors of L ⊥  (A) as described before, but it was ineffective even for the parameters totally broken in [27].That is because the modulus  in Galbraith's scheme is not so overstretched.However, the binary public matrix and encryption nonce may still be problematic as suggested in [27].

Conclusion
In this paper, we target the variant of LWE called Compact-LWE which may be applied to design IoT-oriented lightweight cryptography.We give an explicit analysis of Compact-LWE and point out some weak instances with extreme compactness and overstretched moduli.As an application of our results, we propose a practical attack against the lightweight public key scheme in [25].Consequently, we claim that the security estimation in [25] is incorrect.
The fragility of the scheme in [25] comes not only from its small parameters but also from the weak hardness of Compact-LWE.It would be interesting to generally figure out a theoretical hardness relation between Compact-LWE and other lattice problems.
Compact-LWE may be still of some interest under refined parameters.We leave to future work the issues of tradeoff between efficiency and security, in particular the practical parameter selections achieving given security levels for IoT devices.

2. 3 .
Lattices.A lattice L is a discrete additive subgroup of R  and generated by a set of linearly independent vectors b 1 , . . ., b  , that is, L = {∑  =1   b  |   ∈ Z for any }.We call B = (b 1 , . . ., b  ) ∈ R × a basis of L and write L as L(b 1 , . . ., b  ) or L(B).The integer  is called the rank of L. For any unimodular matrix U ∈ Z × , BU is also a basis of L. The span of L, denoted by span(L), is the linear space spanned by its basis.The first minimum of a lattice L is defined as  1 (L) fl min k∈L\{0} ‖k‖.We denote by B * = (b * 1 , . . ., b *  ) the Gram-Schmidt orthogonalization of B where b *  = b  − ∑ −1 =1  , b *  and  , = ⟨b  , b *  ⟩/⟨b *  , b *  ⟩.The volume of L is defined as vol(L) = ∏  =1 ‖b *  ‖ that is an invariant of L and independent of the choice of the basis.The dual lattice of L is L * fl {y ∈ span(L) | ⟨x, y⟩ ∈ Z, ∀x ∈ L}.If B is a basis of L, it is known that D = B(B  B) − is a basis of L * .Furthermore, we have the following relation between the Gram-Schmidt orthogonalization of a basis and its dual.

Lemma 10 .
Let L ⊆ R  be a lattice of rank  and B be a basis of L. Let t ∈ R  and dist(t, L) = min k∈L ‖t − k‖.If

Table 1 :
(21)nd check inequality(21)for d 1 , . .., d − , respectively; then (, ) is viewed as a candidate when it holds for all  = 1, . ..,  − .Experiments indicate that this step can indeed determine the unique correct (, ) at most times, and output a few Experimental results.

Table 2 :
Experimental results for optimized attack.the correct pair) of the form ( ⋅ , ) for small factor  at other times.Therefore, by guessing  and , we can actually remove the secret scaling factor and transform PK into a standard Compact-LWE sample.
in Theorem 11, we know that      e