Lattice on As it was

Solving LWE with Independent Hints about Secret and Errors — Lu, Feng, Pan (2025)

maocred@gmail.com (Halois) — Wed, 27 May 2026 12:00:00 +0800

Reading: Lu, Feng, Pan (2025). Solving LWE with Independent Hints about Secret and Errors.

问题设定： 给定 LWE 实例 $(A, \mathbf{b} = \mathbf{s}A + \mathbf{e} \bmod q)$ 和一组精确的侧信道 hint（关于 $\mathbf{s}$ 或 $\mathbf{e}$ 的内积值），构造 primal attack 格基进行密钥恢复。

本文的改进： 将 Nowakowski-May (ASIACRYPT 2023) 嵌入 hint 时使用的 LLL 约简替换为 Hermite 标准型（HNF）——一个多项式次数更低的整数线性代数操作。Kyber512 上 234 个完美 hint 的基构造从 2.16 小时降至 0.35 小时。格基维度与行列式与 MN23 等价，对完美 hint 行列式略有增大。

本笔记关注： (1) 构造链——hint 转为 lattice hint 后如何通过矩阵乘法嵌入 primal attack 格基；(2) HNF 比 LLL 快在哪——多项式次数的差距及其工程含义；(3) 论文未说但值得追问的部分——带噪 hint、联合 hint、attack pipeline 完整评测的缺失。

Lattice Part 10: Implementation Fault Lines in Lattice Cryptography

maocred@gmail.com (Halois) — Fri, 25 Oct 2024 12:00:00 +0800

Reading: Peikert’s survey as the wide-angle frame¹, NTRU Prime’s attack-surface language², NIST’s standardized ML-KEM / ML-DSA interfaces³⁴, and the implementation-attack papers that target Kyber, BLISS, Falcon, and lattice decapsulation itself⁵⁶⁷⁸⁹¹⁰¹¹. Part 10 closes the lattice subseries at the only boundary that really matters in deployment: proof-level security is about an abstract construction, while deployed security is about the arithmetic, randomness, control flow, and fault behavior that actually reach silicon.

From Parts 0-3, read every deployed scheme as a concrete implementation of modular lattice relations over short coefficient vectors. Structured rings and modules buy compactness because multiplication becomes regular and sampling stays cheap enough to ship. The same structure also narrows the implementation surface into a few hot loops: NTT butterflies, modular reductions, coefficient compression, rejection tests, hint generation, and decapsulation compares. Those loops are exactly where timing, power, cache behavior, and induced faults start to expose data that the proof never modeled.

The useful split is therefore not “lattices have side channels too.” That is too generic to help. The useful split is KEM versus signature. A KEM exposes a decapsulation oracle whose correctness margins and implicit rejection logic can be probed adaptively. A signature scheme exposes a signing loop whose sampler and abort logic must maintain the right distribution across many signatures under one long-term key. Same hardness family, different failure physics.

Lattice Part 9: Concrete Security of Lattice Schemes — Primal, Dual, BKZ

maocred@gmail.com (Halois) — Wed, 25 Sep 2024 12:00:00 +0800

Reading: Peikert’s survey as the wide-angle frame¹, Albrecht-Player-Scott for concrete-LWE attack modeling², Chen-Nguyen for BKZ quality heuristics³, the Homomorphic Encryption Standard for published parameter-table practice⁴, and the LWE Estimator for the operational interface between these papers and actual numbers⁵.

Parts 0-3 fixed the geometric vocabulary: bases, reduced bases, SVP/CVP, cosets, and short modular witnesses. A deployed lattice scheme then adds concrete parameters such as dimension, modulus, secret distribution, error distribution, and sample count. None of those symbols, by itself, proves that one parameter set costs an attacker $2^{128}$ steps. That last sentence is not a theorem output. It is an attacker model layered on top of the theorem.

So this chapter stays on the attacker side of the interface. The real objects are primal attacks, dual attacks, BKZ block size, root-Hermite factor, and the estimator-style chain that turns $(n,q,\chi,k,m)$ into a work factor only after a long list of modeling decisions has been fixed.

This chapter therefore separates asymptotic hardness claims from concrete parameter-setting practice. It defines primal and dual attack viewpoints clearly, then uses concrete security estimation and attack-cost modeling to map parameter choices to attack-cost estimates.

In that exact sense, the goal is to connect BKZ quality assumptions to concrete lattice-scheme security reasoning rather than to repeat a security badge from the reduction side.

Lattice Part 8: Identity-Based and Functional Encryption From Lattices

maocred@gmail.com (Halois) — Sun, 25 Aug 2024 21:00:08 +0800

Reading: Peikert’s survey is the right wide-angle backbone here because it keeps advanced lattice constructions on one trapdoor-and-sampling axis instead of letting IBE, ABE, and FE turn into unrelated acronyms.¹ Boneh-Shoup is useful for a second reason: it separates public-key encryption, identity-based encryption, attribute-based encryption, and functional encryption at the interface level before we even choose lattices.²

The only extra primitive beyond Parts 0-3 is GPV-style trapdoor sampling: a hidden short basis is not merely evidence for a hard relation; it is a usable interface for sampling short preimages.³ Once that interface exists, the next question is forced: can decryption authority be derived, specialized, or delegated instead of being one monolithic secret key?

That is the organizing mechanism of this chapter. IBE, HIBE, ABE, and FE are different answers to the same question: given a master trapdoor, what short secret material can we derive for a public label, a hierarchy path, an attribute policy, or a function key, and what exactly should that derived key be allowed to recover?⁴⁵⁶

Lattice Part 7: Gadget Decomposition and Fully Homomorphic Encryption

maocred@gmail.com (Halois) — Thu, 25 Jul 2024 12:00:00 +0800

Reading: Peikert’s wide-angle survey for the lattice backbone¹, Brakerski’s FHE survey for the leveled-to-full control argument², and the Gentry / BGV / BV / GSW / FV papers for the actual mechanism³⁴⁵⁶⁷. Beyond Parts 0-3, the only extra objects needed here are introduced locally: noisy LWE-style decryptions, structured ring or module arithmetic, gadget bases, and evaluation keys. Part 7 is where those objects become one controlled evaluation procedure.

The procedure fails at a very specific point. Addition keeps decryption inside the same noisy linear relation. Multiplication does not. It lifts the decryption equation from a linear secret-key basis to a higher-degree basis, enlarges the ciphertext object, and spends decoding margin at the same time. If FHE is to support general evaluation, it needs a control layer exactly at that break.

That control layer is gadget decomposition plus evaluation keys. Once that interface is explicit, key switching becomes a noisy basis change, relinearization becomes the special case that removes post-multiplication secret-key degree, and the leveled-versus-fully-homomorphic split becomes a question of whether the noise budget can be managed forever or only up to a fixed depth.²