Primal Attack on As it was https://galoishlee.github.io/tags/primal-attack/ Recent content in Primal Attack on As it was Hugo zh-CN maocred@gmail.com (Halois) maocred@gmail.com (Halois) This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Sat, 30 May 2026 20:37:52 +0800 Solving LWE with Independent Hints about Secret and Errors — Lu, Feng, Pan (2025) https://galoishlee.github.io/lattice-hints-lu2025/ Wed, 27 May 2026 12:00:00 +0800maocred@gmail.com (Halois) https://galoishlee.github.io/lattice-hints-lu2025/ <p>Reading: Lu, Feng, Pan (2025). <em>Solving LWE with Independent Hints about Secret and Errors.</em></p> <p><strong>问题设定:</strong> 给定 LWE 实例 \((A, \mathbf{b} = \mathbf{s}A + \mathbf{e} \bmod q)\) 和一组精确的侧信道 hint(关于 \(\mathbf{s}\) 或 \(\mathbf{e}\) 的内积值),构造 primal attack 格基进行密钥恢复。</p> <p><strong>本文的改进:</strong> 将 Nowakowski-May (ASIACRYPT 2023) 嵌入 hint 时使用的 LLL 约简替换为 Hermite 标准型(HNF)——一个多项式次数更低的整数线性代数操作。Kyber512 上 234 个完美 hint 的基构造从 2.16 小时降至 0.35 小时。格基维度与行列式与 MN23 等价,对完美 hint 行列式略有增大。</p> <p><strong>本笔记关注:</strong> (1) 构造链——hint 转为 lattice hint 后如何通过矩阵乘法嵌入 primal attack 格基;(2) HNF 比 LLL 快在哪——多项式次数的差距及其工程含义;(3) 论文未说但值得追问的部分——带噪 hint、联合 hint、attack pipeline 完整评测的缺失。</p> Lattice Part 9: Concrete Security of Lattice Schemes — Primal, Dual, BKZ https://galoishlee.github.io/lattice-part-9/ Wed, 25 Sep 2024 12:00:00 +0800maocred@gmail.com (Halois) https://galoishlee.github.io/lattice-part-9/ <p>Reading: Peikert&rsquo;s survey as the wide-angle frame<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>, Albrecht-Player-Scott for concrete-LWE attack modeling<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup>, Chen-Nguyen for BKZ quality heuristics<sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup>, the Homomorphic Encryption Standard for published parameter-table practice<sup id="fnref:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup>, and the LWE Estimator for the operational interface between these papers and actual numbers<sup id="fnref:5"><a href="#fn:5" class="footnote-ref" role="doc-noteref">5</a></sup>.</p> <p>Parts 0-3 fixed the geometric vocabulary: bases, reduced bases, SVP/CVP, cosets, and short modular witnesses. A deployed lattice scheme then adds concrete parameters such as dimension, modulus, secret distribution, error distribution, and sample count. None of those symbols, by itself, proves that one parameter set costs an attacker $2^{128}$ steps. That last sentence is not a theorem output. It is an attacker model layered on top of the theorem.</p> <p>So this chapter stays on the attacker side of the interface. The real objects are primal attacks, dual attacks, BKZ block size, root-Hermite factor, and the estimator-style chain that turns $(n,q,\chi,k,m)$ into a work factor only after a long list of modeling decisions has been fixed.</p> <p>This chapter therefore separates asymptotic hardness claims from concrete parameter-setting practice. It defines primal and dual attack viewpoints clearly, then uses concrete security estimation and attack-cost modeling to map parameter choices to attack-cost estimates.</p> <p>In that exact sense, the goal is to connect BKZ quality assumptions to concrete lattice-scheme security reasoning rather than to repeat a security badge from the reduction side.</p>