643 views

Skip to first unread message

Jan 19, 2022, 2:12:35â€¯PM1/19/22

to pqc-...@list.nist.gov

Within the general risks of structured lattices, there are specific

cryptanalytic reasons for concern regarding the security impact of

Kyber's leap to higher-rank modules over smaller rings: for example,

kyber768 relying on rank-3 modules over a ring of dimension only 256.

It's entirely possible that this structure is exploitable. For example,

compared to the original NTRU system using the 719th cyclotomic field,

kyber768 could end up _much weaker_, as a direct result of Kyber's

module structure.

There's advertising to the contrary, trying to make people believe that

the extra risks of Kyber have been proven not to exist. This advertising

is fundamentally flawed. The proofs _do not_ say what they're portrayed

as saying. There's no hope of fixing this.

Let's go carefully through the details.

1. Special field structures

\Q[X]/(X^1024+1), the 2048th cyclotomic field, has a big pile of

nontrivial subfields: three subfields of half degree, three subfields of

quarter degree, etc.

For example, one subfield is \Q[X^4]/(X^1024+1), which is isomorphic to

\Q[X]/(X^256+1). In this message I'll apply such isomorphisms implicitly

and talk about \Q[X]/(X^256+1) as a subfield of \Q[X]/(X^1024+1).

Such a big pile of subfields is unusual _even among cyclotomic fields_.

There are far fewer subfields in, e.g., the Nth cyclotomic field where N

and (N-1)/2 are prime, exactly the fields recommended in the original

NTRU paper for implementation reasons.

2. Security risks of special field structures

Do unnecessary subfields damage security? From a cryptanalytic

perspective, there are clear reasons to worry that the answer is yes.

There's a vast literature on number-theoretic computations exploiting

subfields. Subfields speed up discrete-log computations. They speed up

class-group computations, unit-group computations, etc. Known S-unit

attacks already exploit subfields in a variety of ways; see, e.g.,

https://cr.yp.to/papers.html#multiquad, https://arxiv.org/abs/2002.12332,

and https://cr.yp.to/talks.html#2021.08.20.

The notion that S-unit attacks are living in a separate world from

lattice-based cryptography was already disproven by the unit attacks

breaking the cyclotomic case of Gentry's original STOC 2009 FHE system,

the original multilinear-map system, etc. Subsequent S-unit attacks are

coming closer and closer to lattice KEMs in NISTPQC, and have already

broken through an amazing series of claimed attack "barriers" reviewed

in Section 1.2 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf.

What's most important here is that there's no proof, not even a hope of

proving, that extra subfields are safe. I'll return to this below.

3. The modules-are-less-structured argument

There has been endless advertisement of rank-{2,3,4} MLWE systems as

supposedly reducing security risks compared to RLWE systems. Let's look

at what this difference means mathematically.

For concreteness, let's say

* a,e are secret vectors of length 1024 with small entries,

* G is a linear transformation of such vectors, and

* the public key is aG+e.

One of the basic attack goals is to find a,e given G,aG+e.

This description leaves many options for the set of transformations G.

For example, is it any 1024x1024 matrix? Or a matrix with a particular

structure? The choice of this set could have a big impact on security.

Let's compare three choices. I'll describe each choice as a \Q-algebra,

which means a ring R (not necessarily commutative) equipped with a ring

morphism from \Q to R. Here \Q is the field of rational numbers. I'll

abbreviate \Q-algebra as simply "algebra".

Each of these algebras acts as a set of linear transformations on the

module \Q^1024. I'll skip reviewing the standard mechanisms to extract

important "integral" subrings (e.g., extracting \Z[X]/(X^1024+1) from

\Q[X]/(X^1024+1)) and to reduce modulo q, giving linear transformations

on \Z^1024 and on (\Z/q)^1024.

Here are the three choices of algebras:

* "The LWE choice": \Q^(1024x1024), the algebra of 1024x1024 matrices

over \Q, with each matrix viewed as a linear transformation on the

module \Q^1024 in the usual way. There are 1048576 degrees of

freedom in a matrix.

* "The MLWE choice": (\Q[X]/(X^256+1))^(4x4), the algebra of 4x4

matrices with entries in the ring \Q[X]/(X^256+1). Each of these

matrices is viewed as a (\Q[X]/(X^256+1))-linear transformation,

and hence \Q-linear transformation, on the module

(\Q[X]/(X^256+1))^4, which is isomorphic to \Q^1024 as a \Q-module.

There are only 4096 degrees of freedom here. This is a small,

highly structured subalgebra of the first algebra.

* "The RLWE choice": \Q[X]/(X^1024+1), with each element viewed as

the linear transformation that multiplies by that element.

There are only 1024 degrees of freedom here. This is an even

smaller, even more highly structured subalgebra.

It's easy to prove that the third algebra is a subalgebra of the second,

and that solving various problems for transformations of the second type

implies solving various problems for transformations of the third type.

Sounds like switching from RLWE to MLWE is provably eliminating extra

structure and reducing risks, right?

NIST's official round-2 report cites this proof as part of its reason

for rejecting NewHope in favor of Kyber. Half of the NewHope text in

that report is discussing this proof. The report categorically describes

"RLWE schemes" (not just NewHope) as "the most structured", "MLWE" as

"intermediately structured", and "plain LWE" as the "least structured".

4. The fundamental flaw in the argument

The provable relationship between \Q[X]/(X^1024+1) and

(\Q[X]/(X^256+1))^(4x4) relies on the fact that \Q[X]/(X^256+1) is a

subfield of \Q[X]/(X^1024+1).

Having \Q[X]/(X^256+1) as a subfield is a _special structure_ of

\Q[X]/(X^1024+1). For example, the proof does not work---and there is no

hope of making it work---as a comparison to the following field:

* "Another RLWE choice": \Q[X]/(X^1013-X-1), with each element viewed

as the linear transformation that multiplies by that element.

Or, if one wants to precisely match dimensions, the following field:

* "Yet another RLWE choice": \Q[X]/(X^1024-X-1), again viewed as

linear transformations in the usual way.

The third algebra above isn't actually "the" RLWE choice: there are

_many_ choices of fields in each dimension, and the proof requires

restricting attention to a narrow, structured subset of these choices.

This means that enabling the proof required _imposing structure_ on the

starting field. From the perspective of the algorithm designer, this

structure is an attack tool!

The full S-unit lattice for a nontrivial S isn't hard to calculate for

the field \Q[X]/(X^256+1), thanks to the smallness and special structure

of this field. It's not that this has been publicly extended yet to a

break of problems for (\Q[X]/(X^256+1))^(4x4), but it's really not hard

to imagine that severe weaknesses of a ring also create weaknesses of

4x4 matrices over that ring.

Even people who have trouble seeing how such algorithms might work can't

deny the logical _possibility_ that the smallness and special structure

of \Q[X]/(X^256+1) will turn into a devastating attack against problems

for (\Q[X]/(X^256+1))^(4x4), making kyber1024 feasible to break.

The proof then says that, logically, there must also be a weakness for

\Q[X]/(X^1024+1). But this _doesn't_ logically imply weaknesses in most

other algebras. There's no reason to exclude the possibility of other

algebras being stronger: for example, \Q[X]/(X^1013-X-1) being stronger.

In this scenario, the proof is simply relating one weak problem to

another weak problem. What's terrifying is that _this is being used as

an argument to use a weak problem instead of a stronger problem_. People

are casually introducing a small structured ring into a cryptosystem and

blindly advertising the use of modules over this ring as risk reduction,

even though in this scenario it _damages_ security.

Are we supposed to worry about structured matrices and _not_ worry about

structured rings? This makes no sense. A direct comparison of the

algebras being used, the basic algebraic structure of the set of G used

for public keys aG+e, immediately shows that the move to modules

requires structure that otherwise would _not_ have to be there.

If the comparison is merely to NewHope, then the field \Q[X]/(X^256+1)

was present from the outset as a subfield. In this case, sure, insisting

on modules doesn't require adding any structure to the field. (There are

other problems with NIST's NewHope comparison; see below.) But this is a

_very_ special case.

Instead of acknowledging the special field structure enabling this

proof, NIST glibly generalizes, categorically describing "RLWE" as "more

structured" than "MLWE". That categorical statement is simply wrong!

For example, (\Q[X]/(X^256+1))^(4x4) has a subalgebra \Q[X]/(X^256+1)

with many special properties drawing the cryptanalyst's attention:

* The subalgebra is much bigger than \Q, but much smaller than the

full algebra.

* The subalgebra is in the "center" of the full algebra, meaning

that it commutes with every choice of G.

* The subalgebra is a cyclotomic field.

* This field has a tower of smaller subfields having the same

properties, such as \Q[X]/(X^128+1), plus further subfields.

This structure is not present in \Q[X]/(X^1013-X-1), a field whose only

subfields are itself and \Q.

People are being misled into believing that the proof says that the

entire class of RLWE problems of degree around n is broken if rank-4

MLWE problems of degree around n/4 are broken. No, that's _not_ what the

proof says. One needs to narrow attention to some _highly structured_

RLWE problems to make the proof work. Adding this structure to enable

the proof also adds dangers that the proof doesn't address.

5. Small fields in pre-quantum DH

Think back to the old days when people used a 1024-bit prime field

inside your favorite discrete-log system, let's say DH. (Not so old,

actually.)

Imagine someone saying "You should move to this matrix version of DH

using 4x4 matrices over \F_{2^256}. For similar cost in the following

metrics, this allows many more matrices, and the following 4x4 matrix

problems are provably secure if some \F_{2^1024} problems are secure."

Um, yes, okay, there are more matrices, and it's not crazy to _hope_ for

the non-commutativity to add security compared to \F_{2^1024}. But if

(1) the subfields of \F_{2^1024} are a security disaster (this turns

out to be the case) and

(2) non-commutativity isn't enough to rescue the system (it turns

out to provide _no_ security benefit; see 1997 Menezes--Wu)

then the new system is a security disaster while, as far as we know, the

old one isn't.

So the proof is relating one weak problem to another weak problem.

Meanwhile it's misleading people into switching away from a strong

problem, even though the proof actually says _nothing_ about the strong

problem---the same way that the MLWE-vs.-RLWE proof says _nothing_ about

RLWE using fields outside a specially structured class.

This DH example illustrates the structural dangers inherent in (1)

constructing systems "with the objective of being able to give security

reductions for them" and (2) using this as a risk-assessment mechanism,

judging systems as less risky if they have more "security proofs". What

the proofs actually say about security is limited, and the limitations

have to be carefully taken into account.

6. Modules as a danger separate from cyclotomics

In the above matrix example, \F_{2^256} has a tower of subfields that

are unnecessary for DH, the same way that \Z[X]/(X^256+1) has many

subfields that are unnecessary for lattice-based cryptography, along

with further unnecessary structure such as being cyclotomic.

What happens if one removes this structure? Consider 4x4 matrices over

the prime field \F_p, where p is a 256-bit prime. "Provable security"

then highlights a relationship between these matrices and a 1024-bit

finite field \F_{p^4}.

Is it correct to say that the matrices are less structured than 1024-bit

fields? No, of course not. The proof is only for _extremely special_

1024-bit fields, the ones that have 256-bit prime subfields.

If this subfield structure opens up vulnerabilities (variants of NFS

that exploit subfields are an active research area today), and if these

are also vulnerabilities of the matrix system (which, again, turns out

to be the case; see 1997 Menezes--Wu), then moving from a 1024-bit prime

field to the matrix system has damaged security. So how can one portray

the proof as saying that moving to matrices is reducing risks?

What one sees here is that simply imposing the matrix structure, working

with 4x4 matrices over a field with 1/4 as many bits, is creating a new

security risk, a risk that is _not_ addressed by the "security proof".

Similar comments apply to lattice systems. Cyclotomics are particularly

worrisome, but _even outside the cyclotomic context_ it's entirely

possible that moving to modules---for example, a rank-4 module over a

quarter-dimension ring---damages security. There's certainly no proof to

the contrary.

Consider, as concrete examples, the following \Q-algebras:

(1) \Q[X]/(X^1024-X-1).

(2) \Q[X]/(X^1024-X^4-1).

(3) (\Q[X]/(X^256-X-1))^(4x4).

(4) \Q[X]^(1024x1024).

Here the argument for modules says that #1 is a small, structured piece

of #4, which is worrisome, and that #2 is a small, structured piece of

#4, which is worrisome, and that #3 is an intermediate case between #2

and #4, making it less worrisome.

But #2 and #3 both have special structure that doesn't exist in #1!

This isn't as extreme as the tower of cyclotomics mentioned above, but

again there's an intermediate algebra with special properties catching

the cryptanalyst's eye as a potential springboard for attacks: both

algebras contain \Q[X]/(X^256-X-1), which is much bigger than \Q, much

smaller than the full algebra, and in the center of the full algebra.

The presence of this special intermediate field could expose #2 and #3

to attacks that don't apply to #1, a field whose only proper subfield is

\Q.

Advocating a leap from #1 to #3, and trying to justify this by pointing

to a proof relating #2 to #3, is indefensibly exaggerating what the

proof says, and ignoring the security risk of introducing extra

subfields---again, something that has a long history of being exploited.

To summarize, what the advertising wants people to believe is that the

Kyber matrices are provably at least as strong as commutative rings

(acting on vectors of similar dimension). What the proof actually says

is, at best, that the Kyber matrices are at least as strong as some

_very special_ commutative rings, the rings used in NewHope. The proof

does _not_ say that the Kyber matrices are at least as strong as _other_

commutative rings. Closing this gap is hopeless.

7. Credits and subsequent discussions

The fundamental flaw in the module advertising was already pinpointed in

Section 5.5 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf (in

less detail than the explanation I've given above). I cited that paper

in my first message in the small-rounding thread:

Theorems that might give a "modules are guaranteed safe" impression have

limitations rendering them logically inapplicable to NISTPQC. See, e.g.,

Section 5.5 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf.

A followup a few days later, the message I'm responding to, repeats

essentially the same advertising---hiding the flaw inside a false

hypothesis.

[ context omitted by the message I'm replying to: ]

> > Let's try an example: the experiments reported in Section 4.2 of

> > https://www.ntru.org/f/hps98.pdf (the first paper Dr. Peikert cited).

> > These are attacking scaled-down versions of the original NTRU system.

[ context included in the message I'm replying to: ]

> > Why exactly is it supposed to be okay to count these experiments towards

> > "enough cryptanalysis" of systems that move to rank-3 modules over a

> > ring of only 1/3 dimension (e.g., kyber768),

> Because there are simple reductions that allow one to decrease the

> degree of the ring, while increasing the module rank.

> If R=Z[X]/(X^1024+1)

[ ... ]

> So if NTRU is over the ring R

This is the false hypothesis mentioned above.

The question was explicitly about the experiments in Section 4.2 of the

original NTRU paper. Those experiments used X^N-1 for various N; why

would they have detected security failures of X^N+1 with N being a power

of 2? Maybe failures of X^N+1 would show up for X^2N-1, but the

experiments didn't use any power-of-2 exponents. In short, no, this

isn't over the ring R; it isn't over _any_ power-of-2 ring.

The same hypothesis is, of course, also false for various NISTPQC KEMs,

such as sntrup1013.

Again, the (partial) proof that kyber1024 >= newhope1024 relies on the

fact that \Q[X]/(X^1024+1) has a much smaller subfield \Q[X]/(X^256+1).

What happens if the smallness and special structure of \Q[X]/(X^256+1)

turn out to be a security problem for _both_ kyber1024 and newhope1024,

a problem not shared by most fields---maybe even most cyclotomics?

Perhaps someone has in mind a _heuristic_ saying that if power-of-2

cyclotomics have a security problem then the problem will also show up

for many other cyclotomics. This essentially assumes away any potential

difference between power-of-2 cyclotomics and random cyclotomics. Maybe

this is a valid heuristic, but how well has it been tested?

Compare this to Dr. Peikert's message at the start of the small-rounding

thread: "The existing analyses essentially 'assume away' any potential

difference between deterministic rounding errors and random ones. Maybe

this is a valid heuristic, but how well has it been tested?"

If we're supposed to worry about the possibility that rounding loses

security, and the possibility that structure in matrices loses security,

shouldn't we worry about the possibility that power-of-2 cyclotomic

structure loses security, even compared to most cyclotomics? Where are

all the papers redoing every NTRU attack experiment for the power-of-2

case? Where are the objections to a lack of Kyber-specific experiments?

These possibilities are analogous in that none of these features have

been _proven_ secure. This is what I've been emphasizing in the last few

paragraphs---but it's also a _very_ low bar. Every lattice KEM has a

combinatorial explosion of features (obviously far beyond the number of

attack papers); only a narrow corner is proven secure; so it's trivial

to take any submission and selectively highlight a proof gap for that

submission. If this were done systematically then people would realize

how content-free it is. Instead it's against a backdrop of many other

proofs being indefensibly exaggerated, such as the MLWE-vs.-RLWE proof.

Correcting the exaggerations and studying how little the proofs actually

say makes clear that risk management has to be driven instead by the

literature designing and analyzing _algorithms_. What's truly concerning

about subfields, cyclotomics, etc. isn't the minimal point that they

haven't been proven safe. What's truly concerning is that these

structures have already been exploited for many years to speed up a wide

range of number-theoretic computations---often quite dramatically, as

illustrated by the quantum polynomial-time break of Gentry's original

STOC 2009 FHE system for cyclotomics (under minor assumptions), and the

non-quantum quasi-polynomial-time break of an analogous system using

multiquadratics (which aren't cyclotomic but have many subfields).

I understand that the magnitude of the danger isn't obvious to everyone.

But the idea that the danger has been _proven_ not to exist is absurd.

There's a specific fiction that leaping to rank-{2,3,4} modules, while

dropping the field degree correspondingly, has been proven to not lose

security; let's get that corrected for the record.

> what is your "concern" with the above?

First of all, for a mathematician, _any_ proof exaggeration is

unacceptable.

NIST wrote "In a technical sense, the security of NewHope is never

better than that of KYBER", pointing to a proof. But simply reading what

the proof says and comparing it to the NewHope-vs.-Kyber example shows

many reasons that, no, the proof _doesn't_ say that Kyber is at least as

strong as NewHope. (See generally my email dated 25 Jul 2020 10:36:57

+0200.) NIST didn't even bother to systematically _list_ those reasons,

never mind presenting an evaluation of the corresponding security risks.

This is horrifying.

The specific exaggeration that I'm emphasizing in this message doesn't

matter for NewHope in particular: as noted above, NewHope already had

\Q[X]/(X^256+1) present as a subfield. However, as part of the same

official report, NIST stated a much broader categorical preference for

"low-rank MLWE schemes over RLWE schemes"---evidently blind to the fact

that this leap requires inserting extra structure that could damage

security, structure that a pure RLWE system doesn't need. The proof does

_not_ provide any reason to think that (\Q[X]/(X^256+1))^(4x4) is as

safe as \Q[X]/(X^1013-X-1).

In short, readers are being led to believe that inserting the small

field \Q[X]/(X^256+1) into a system design is guaranteed safe---but the

argument presented for this starts by hypothesizing that \Q[X]/(X^256+1)

was already present as a subfield! This makes no sense.

> Is it:

> 1. It's possible that Module-LWE over random A'' is easy (so

> Kyber-1024 is easy), but Module-LWE over a structured A'' (i.e. the

> one you get from transforming A-->A'') is hard?

I have a clarification question regarding two general words here, "easy"

vs. "hard": are these supposed to refer to some _big_ gap in security?

Kyber's security margin seems to keep dropping and seems very small

(possibly nonexistent), so a small improvement in attacks could mean

that Kyber doesn't reach its claimed security level.

The rest of the specific text here seems like a pointless distraction

from the elephant in the room, the fact that the proof at hand compares

MLWE using \Q[X]/(X^256+1) to an _extremely restricted_ type of RLWE

system, one where \Q[X]/(X^256+1) is already present as a subfield.

> 2. That this reduction works only for dimensions that are a power of

> 2, so we can't say anything about Kyber-768 which has a 3x3 matrix A

> (i.e. maybe it's as hard as Kyber with a 2x2 matrix over the same

> ring).

In the absence of further information, one has to guess that the 3x3

case is stronger than the 2x2 case. But this is a weak statement given

that the 2x2 case is already on the bleeding edge against known attacks

and that the 3x3 case claims a _much_ higher security level.

Why resort to some weak 3-to-2 relation instead of talking about how

Kyber relates to some degree-768 extension of \Q[X]/(X^256+1), such as

\Q[X,Y]/(X^256+1,Y^3-Y-X)? Could this be because presenting such an

extension helps the reader realize that the 256*3 -> 768 proof is

restricted to a narrow, specially structured set of degree-768 fields?

> Both of these "objections", however, are counter to a lot of the

> theory that underlies lattice cryptography. (1) contradicts that

> random matrices A are the hard instances and (2) contradicts that

> increasing the dimension makes the lattice problem harder.

This text also seems like a distraction from the elephant.

> So if you're going to state hypotheses that go against established

> theory, you need to have some evidence. Otherwise, one can state anything

> that can't be proved or disproved -- (e.g. do you have concrete proof

> contradicting the Qanon and the covid vaccine conspiracies? No? Then I

> guess you should consider them to be as valid as their negations.)

This level of rhetoric regarding the nature of evidence is in a message

that starts from an outright false assumption regarding the stated

context and ignores an earlier reference to a paper explaining the gap?

Hmmm.

> The difference between saying (1) LWE is hard, but LWR with small

> rounding could be easy and (2) NTRU is hard, but Module-LWE could be

> easy is that (1) does not contradict any of the underlying theory or

> understanding upon which lattice crypto is built, whereas (2) would

> mean that the core of the established theory is wrong.

Please clarify.

What's covered by "the underlying theory or understanding upon which

lattice crypto is built"? Is this excluding, e.g., the original LLL

paper, the original BKZ paper, the original NTRU paper, and many more

years of design and analysis of algorithms? If this excludes papers on,

e.g., class-group computations, then what's the rationale for excluding

those, and how does this avoid making the argument circular?

How precisely would weaknesses triggered by the smallness and special

structure of \Q[X]/(X^256+1) contradict "the established theory"?

It's disturbing to see a message that's so driven by "security proofs"

that it makes a hypothesis that's false regarding the explicit context

and often false for NISTPQC---simply _assuming_ that one is starting

with particular field structures, because this is what has to be done to

make the proof work---and then tries to lead the reader to believe that

the existing "theory and understanding" guarantee the safety of modules,

evidently with no need to even _look_ at what's known about algorithms

exploiting those field structures.

---Dan

cryptanalytic reasons for concern regarding the security impact of

Kyber's leap to higher-rank modules over smaller rings: for example,

kyber768 relying on rank-3 modules over a ring of dimension only 256.

It's entirely possible that this structure is exploitable. For example,

compared to the original NTRU system using the 719th cyclotomic field,

kyber768 could end up _much weaker_, as a direct result of Kyber's

module structure.

There's advertising to the contrary, trying to make people believe that

the extra risks of Kyber have been proven not to exist. This advertising

is fundamentally flawed. The proofs _do not_ say what they're portrayed

as saying. There's no hope of fixing this.

Let's go carefully through the details.

1. Special field structures

\Q[X]/(X^1024+1), the 2048th cyclotomic field, has a big pile of

nontrivial subfields: three subfields of half degree, three subfields of

quarter degree, etc.

For example, one subfield is \Q[X^4]/(X^1024+1), which is isomorphic to

\Q[X]/(X^256+1). In this message I'll apply such isomorphisms implicitly

and talk about \Q[X]/(X^256+1) as a subfield of \Q[X]/(X^1024+1).

Such a big pile of subfields is unusual _even among cyclotomic fields_.

There are far fewer subfields in, e.g., the Nth cyclotomic field where N

and (N-1)/2 are prime, exactly the fields recommended in the original

NTRU paper for implementation reasons.

2. Security risks of special field structures

Do unnecessary subfields damage security? From a cryptanalytic

perspective, there are clear reasons to worry that the answer is yes.

There's a vast literature on number-theoretic computations exploiting

subfields. Subfields speed up discrete-log computations. They speed up

class-group computations, unit-group computations, etc. Known S-unit

attacks already exploit subfields in a variety of ways; see, e.g.,

https://cr.yp.to/papers.html#multiquad, https://arxiv.org/abs/2002.12332,

and https://cr.yp.to/talks.html#2021.08.20.

The notion that S-unit attacks are living in a separate world from

lattice-based cryptography was already disproven by the unit attacks

breaking the cyclotomic case of Gentry's original STOC 2009 FHE system,

the original multilinear-map system, etc. Subsequent S-unit attacks are

coming closer and closer to lattice KEMs in NISTPQC, and have already

broken through an amazing series of claimed attack "barriers" reviewed

in Section 1.2 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf.

What's most important here is that there's no proof, not even a hope of

proving, that extra subfields are safe. I'll return to this below.

3. The modules-are-less-structured argument

There has been endless advertisement of rank-{2,3,4} MLWE systems as

supposedly reducing security risks compared to RLWE systems. Let's look

at what this difference means mathematically.

For concreteness, let's say

* a,e are secret vectors of length 1024 with small entries,

* G is a linear transformation of such vectors, and

* the public key is aG+e.

One of the basic attack goals is to find a,e given G,aG+e.

This description leaves many options for the set of transformations G.

For example, is it any 1024x1024 matrix? Or a matrix with a particular

structure? The choice of this set could have a big impact on security.

Let's compare three choices. I'll describe each choice as a \Q-algebra,

which means a ring R (not necessarily commutative) equipped with a ring

morphism from \Q to R. Here \Q is the field of rational numbers. I'll

abbreviate \Q-algebra as simply "algebra".

Each of these algebras acts as a set of linear transformations on the

module \Q^1024. I'll skip reviewing the standard mechanisms to extract

important "integral" subrings (e.g., extracting \Z[X]/(X^1024+1) from

\Q[X]/(X^1024+1)) and to reduce modulo q, giving linear transformations

on \Z^1024 and on (\Z/q)^1024.

Here are the three choices of algebras:

* "The LWE choice": \Q^(1024x1024), the algebra of 1024x1024 matrices

over \Q, with each matrix viewed as a linear transformation on the

module \Q^1024 in the usual way. There are 1048576 degrees of

freedom in a matrix.

* "The MLWE choice": (\Q[X]/(X^256+1))^(4x4), the algebra of 4x4

matrices with entries in the ring \Q[X]/(X^256+1). Each of these

matrices is viewed as a (\Q[X]/(X^256+1))-linear transformation,

and hence \Q-linear transformation, on the module

(\Q[X]/(X^256+1))^4, which is isomorphic to \Q^1024 as a \Q-module.

There are only 4096 degrees of freedom here. This is a small,

highly structured subalgebra of the first algebra.

* "The RLWE choice": \Q[X]/(X^1024+1), with each element viewed as

the linear transformation that multiplies by that element.

There are only 1024 degrees of freedom here. This is an even

smaller, even more highly structured subalgebra.

It's easy to prove that the third algebra is a subalgebra of the second,

and that solving various problems for transformations of the second type

implies solving various problems for transformations of the third type.

Sounds like switching from RLWE to MLWE is provably eliminating extra

structure and reducing risks, right?

NIST's official round-2 report cites this proof as part of its reason

for rejecting NewHope in favor of Kyber. Half of the NewHope text in

that report is discussing this proof. The report categorically describes

"RLWE schemes" (not just NewHope) as "the most structured", "MLWE" as

"intermediately structured", and "plain LWE" as the "least structured".

4. The fundamental flaw in the argument

The provable relationship between \Q[X]/(X^1024+1) and

(\Q[X]/(X^256+1))^(4x4) relies on the fact that \Q[X]/(X^256+1) is a

subfield of \Q[X]/(X^1024+1).

Having \Q[X]/(X^256+1) as a subfield is a _special structure_ of

\Q[X]/(X^1024+1). For example, the proof does not work---and there is no

hope of making it work---as a comparison to the following field:

* "Another RLWE choice": \Q[X]/(X^1013-X-1), with each element viewed

as the linear transformation that multiplies by that element.

Or, if one wants to precisely match dimensions, the following field:

* "Yet another RLWE choice": \Q[X]/(X^1024-X-1), again viewed as

linear transformations in the usual way.

The third algebra above isn't actually "the" RLWE choice: there are

_many_ choices of fields in each dimension, and the proof requires

restricting attention to a narrow, structured subset of these choices.

This means that enabling the proof required _imposing structure_ on the

starting field. From the perspective of the algorithm designer, this

structure is an attack tool!

The full S-unit lattice for a nontrivial S isn't hard to calculate for

the field \Q[X]/(X^256+1), thanks to the smallness and special structure

of this field. It's not that this has been publicly extended yet to a

break of problems for (\Q[X]/(X^256+1))^(4x4), but it's really not hard

to imagine that severe weaknesses of a ring also create weaknesses of

4x4 matrices over that ring.

Even people who have trouble seeing how such algorithms might work can't

deny the logical _possibility_ that the smallness and special structure

of \Q[X]/(X^256+1) will turn into a devastating attack against problems

for (\Q[X]/(X^256+1))^(4x4), making kyber1024 feasible to break.

The proof then says that, logically, there must also be a weakness for

\Q[X]/(X^1024+1). But this _doesn't_ logically imply weaknesses in most

other algebras. There's no reason to exclude the possibility of other

algebras being stronger: for example, \Q[X]/(X^1013-X-1) being stronger.

In this scenario, the proof is simply relating one weak problem to

another weak problem. What's terrifying is that _this is being used as

an argument to use a weak problem instead of a stronger problem_. People

are casually introducing a small structured ring into a cryptosystem and

blindly advertising the use of modules over this ring as risk reduction,

even though in this scenario it _damages_ security.

Are we supposed to worry about structured matrices and _not_ worry about

structured rings? This makes no sense. A direct comparison of the

algebras being used, the basic algebraic structure of the set of G used

for public keys aG+e, immediately shows that the move to modules

requires structure that otherwise would _not_ have to be there.

If the comparison is merely to NewHope, then the field \Q[X]/(X^256+1)

was present from the outset as a subfield. In this case, sure, insisting

on modules doesn't require adding any structure to the field. (There are

other problems with NIST's NewHope comparison; see below.) But this is a

_very_ special case.

Instead of acknowledging the special field structure enabling this

proof, NIST glibly generalizes, categorically describing "RLWE" as "more

structured" than "MLWE". That categorical statement is simply wrong!

For example, (\Q[X]/(X^256+1))^(4x4) has a subalgebra \Q[X]/(X^256+1)

with many special properties drawing the cryptanalyst's attention:

* The subalgebra is much bigger than \Q, but much smaller than the

full algebra.

* The subalgebra is in the "center" of the full algebra, meaning

that it commutes with every choice of G.

* The subalgebra is a cyclotomic field.

* This field has a tower of smaller subfields having the same

properties, such as \Q[X]/(X^128+1), plus further subfields.

This structure is not present in \Q[X]/(X^1013-X-1), a field whose only

subfields are itself and \Q.

People are being misled into believing that the proof says that the

entire class of RLWE problems of degree around n is broken if rank-4

MLWE problems of degree around n/4 are broken. No, that's _not_ what the

proof says. One needs to narrow attention to some _highly structured_

RLWE problems to make the proof work. Adding this structure to enable

the proof also adds dangers that the proof doesn't address.

5. Small fields in pre-quantum DH

Think back to the old days when people used a 1024-bit prime field

inside your favorite discrete-log system, let's say DH. (Not so old,

actually.)

Imagine someone saying "You should move to this matrix version of DH

using 4x4 matrices over \F_{2^256}. For similar cost in the following

metrics, this allows many more matrices, and the following 4x4 matrix

problems are provably secure if some \F_{2^1024} problems are secure."

Um, yes, okay, there are more matrices, and it's not crazy to _hope_ for

the non-commutativity to add security compared to \F_{2^1024}. But if

(1) the subfields of \F_{2^1024} are a security disaster (this turns

out to be the case) and

(2) non-commutativity isn't enough to rescue the system (it turns

out to provide _no_ security benefit; see 1997 Menezes--Wu)

then the new system is a security disaster while, as far as we know, the

old one isn't.

So the proof is relating one weak problem to another weak problem.

Meanwhile it's misleading people into switching away from a strong

problem, even though the proof actually says _nothing_ about the strong

problem---the same way that the MLWE-vs.-RLWE proof says _nothing_ about

RLWE using fields outside a specially structured class.

This DH example illustrates the structural dangers inherent in (1)

constructing systems "with the objective of being able to give security

reductions for them" and (2) using this as a risk-assessment mechanism,

judging systems as less risky if they have more "security proofs". What

the proofs actually say about security is limited, and the limitations

have to be carefully taken into account.

6. Modules as a danger separate from cyclotomics

In the above matrix example, \F_{2^256} has a tower of subfields that

are unnecessary for DH, the same way that \Z[X]/(X^256+1) has many

subfields that are unnecessary for lattice-based cryptography, along

with further unnecessary structure such as being cyclotomic.

What happens if one removes this structure? Consider 4x4 matrices over

the prime field \F_p, where p is a 256-bit prime. "Provable security"

then highlights a relationship between these matrices and a 1024-bit

finite field \F_{p^4}.

Is it correct to say that the matrices are less structured than 1024-bit

fields? No, of course not. The proof is only for _extremely special_

1024-bit fields, the ones that have 256-bit prime subfields.

If this subfield structure opens up vulnerabilities (variants of NFS

that exploit subfields are an active research area today), and if these

are also vulnerabilities of the matrix system (which, again, turns out

to be the case; see 1997 Menezes--Wu), then moving from a 1024-bit prime

field to the matrix system has damaged security. So how can one portray

the proof as saying that moving to matrices is reducing risks?

What one sees here is that simply imposing the matrix structure, working

with 4x4 matrices over a field with 1/4 as many bits, is creating a new

security risk, a risk that is _not_ addressed by the "security proof".

Similar comments apply to lattice systems. Cyclotomics are particularly

worrisome, but _even outside the cyclotomic context_ it's entirely

possible that moving to modules---for example, a rank-4 module over a

quarter-dimension ring---damages security. There's certainly no proof to

the contrary.

Consider, as concrete examples, the following \Q-algebras:

(1) \Q[X]/(X^1024-X-1).

(2) \Q[X]/(X^1024-X^4-1).

(3) (\Q[X]/(X^256-X-1))^(4x4).

(4) \Q[X]^(1024x1024).

Here the argument for modules says that #1 is a small, structured piece

of #4, which is worrisome, and that #2 is a small, structured piece of

#4, which is worrisome, and that #3 is an intermediate case between #2

and #4, making it less worrisome.

But #2 and #3 both have special structure that doesn't exist in #1!

This isn't as extreme as the tower of cyclotomics mentioned above, but

again there's an intermediate algebra with special properties catching

the cryptanalyst's eye as a potential springboard for attacks: both

algebras contain \Q[X]/(X^256-X-1), which is much bigger than \Q, much

smaller than the full algebra, and in the center of the full algebra.

The presence of this special intermediate field could expose #2 and #3

to attacks that don't apply to #1, a field whose only proper subfield is

\Q.

Advocating a leap from #1 to #3, and trying to justify this by pointing

to a proof relating #2 to #3, is indefensibly exaggerating what the

proof says, and ignoring the security risk of introducing extra

subfields---again, something that has a long history of being exploited.

To summarize, what the advertising wants people to believe is that the

Kyber matrices are provably at least as strong as commutative rings

(acting on vectors of similar dimension). What the proof actually says

is, at best, that the Kyber matrices are at least as strong as some

_very special_ commutative rings, the rings used in NewHope. The proof

does _not_ say that the Kyber matrices are at least as strong as _other_

commutative rings. Closing this gap is hopeless.

7. Credits and subsequent discussions

The fundamental flaw in the module advertising was already pinpointed in

Section 5.5 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf (in

less detail than the explanation I've given above). I cited that paper

in my first message in the small-rounding thread:

Theorems that might give a "modules are guaranteed safe" impression have

limitations rendering them logically inapplicable to NISTPQC. See, e.g.,

Section 5.5 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf.

A followup a few days later, the message I'm responding to, repeats

essentially the same advertising---hiding the flaw inside a false

hypothesis.

[ context omitted by the message I'm replying to: ]

> > Let's try an example: the experiments reported in Section 4.2 of

> > https://www.ntru.org/f/hps98.pdf (the first paper Dr. Peikert cited).

> > These are attacking scaled-down versions of the original NTRU system.

[ context included in the message I'm replying to: ]

> > Why exactly is it supposed to be okay to count these experiments towards

> > "enough cryptanalysis" of systems that move to rank-3 modules over a

> > ring of only 1/3 dimension (e.g., kyber768),

> Because there are simple reductions that allow one to decrease the

> degree of the ring, while increasing the module rank.

> If R=Z[X]/(X^1024+1)

[ ... ]

> So if NTRU is over the ring R

This is the false hypothesis mentioned above.

The question was explicitly about the experiments in Section 4.2 of the

original NTRU paper. Those experiments used X^N-1 for various N; why

would they have detected security failures of X^N+1 with N being a power

of 2? Maybe failures of X^N+1 would show up for X^2N-1, but the

experiments didn't use any power-of-2 exponents. In short, no, this

isn't over the ring R; it isn't over _any_ power-of-2 ring.

The same hypothesis is, of course, also false for various NISTPQC KEMs,

such as sntrup1013.

Again, the (partial) proof that kyber1024 >= newhope1024 relies on the

fact that \Q[X]/(X^1024+1) has a much smaller subfield \Q[X]/(X^256+1).

What happens if the smallness and special structure of \Q[X]/(X^256+1)

turn out to be a security problem for _both_ kyber1024 and newhope1024,

a problem not shared by most fields---maybe even most cyclotomics?

Perhaps someone has in mind a _heuristic_ saying that if power-of-2

cyclotomics have a security problem then the problem will also show up

for many other cyclotomics. This essentially assumes away any potential

difference between power-of-2 cyclotomics and random cyclotomics. Maybe

this is a valid heuristic, but how well has it been tested?

Compare this to Dr. Peikert's message at the start of the small-rounding

thread: "The existing analyses essentially 'assume away' any potential

difference between deterministic rounding errors and random ones. Maybe

this is a valid heuristic, but how well has it been tested?"

If we're supposed to worry about the possibility that rounding loses

security, and the possibility that structure in matrices loses security,

shouldn't we worry about the possibility that power-of-2 cyclotomic

structure loses security, even compared to most cyclotomics? Where are

all the papers redoing every NTRU attack experiment for the power-of-2

case? Where are the objections to a lack of Kyber-specific experiments?

These possibilities are analogous in that none of these features have

been _proven_ secure. This is what I've been emphasizing in the last few

paragraphs---but it's also a _very_ low bar. Every lattice KEM has a

combinatorial explosion of features (obviously far beyond the number of

attack papers); only a narrow corner is proven secure; so it's trivial

to take any submission and selectively highlight a proof gap for that

submission. If this were done systematically then people would realize

how content-free it is. Instead it's against a backdrop of many other

proofs being indefensibly exaggerated, such as the MLWE-vs.-RLWE proof.

Correcting the exaggerations and studying how little the proofs actually

say makes clear that risk management has to be driven instead by the

literature designing and analyzing _algorithms_. What's truly concerning

about subfields, cyclotomics, etc. isn't the minimal point that they

haven't been proven safe. What's truly concerning is that these

structures have already been exploited for many years to speed up a wide

range of number-theoretic computations---often quite dramatically, as

illustrated by the quantum polynomial-time break of Gentry's original

STOC 2009 FHE system for cyclotomics (under minor assumptions), and the

non-quantum quasi-polynomial-time break of an analogous system using

multiquadratics (which aren't cyclotomic but have many subfields).

I understand that the magnitude of the danger isn't obvious to everyone.

But the idea that the danger has been _proven_ not to exist is absurd.

There's a specific fiction that leaping to rank-{2,3,4} modules, while

dropping the field degree correspondingly, has been proven to not lose

security; let's get that corrected for the record.

> what is your "concern" with the above?

First of all, for a mathematician, _any_ proof exaggeration is

unacceptable.

NIST wrote "In a technical sense, the security of NewHope is never

better than that of KYBER", pointing to a proof. But simply reading what

the proof says and comparing it to the NewHope-vs.-Kyber example shows

many reasons that, no, the proof _doesn't_ say that Kyber is at least as

strong as NewHope. (See generally my email dated 25 Jul 2020 10:36:57

+0200.) NIST didn't even bother to systematically _list_ those reasons,

never mind presenting an evaluation of the corresponding security risks.

This is horrifying.

The specific exaggeration that I'm emphasizing in this message doesn't

matter for NewHope in particular: as noted above, NewHope already had

\Q[X]/(X^256+1) present as a subfield. However, as part of the same

official report, NIST stated a much broader categorical preference for

"low-rank MLWE schemes over RLWE schemes"---evidently blind to the fact

that this leap requires inserting extra structure that could damage

security, structure that a pure RLWE system doesn't need. The proof does

_not_ provide any reason to think that (\Q[X]/(X^256+1))^(4x4) is as

safe as \Q[X]/(X^1013-X-1).

In short, readers are being led to believe that inserting the small

field \Q[X]/(X^256+1) into a system design is guaranteed safe---but the

argument presented for this starts by hypothesizing that \Q[X]/(X^256+1)

was already present as a subfield! This makes no sense.

> Is it:

> 1. It's possible that Module-LWE over random A'' is easy (so

> Kyber-1024 is easy), but Module-LWE over a structured A'' (i.e. the

> one you get from transforming A-->A'') is hard?

I have a clarification question regarding two general words here, "easy"

vs. "hard": are these supposed to refer to some _big_ gap in security?

Kyber's security margin seems to keep dropping and seems very small

(possibly nonexistent), so a small improvement in attacks could mean

that Kyber doesn't reach its claimed security level.

The rest of the specific text here seems like a pointless distraction

from the elephant in the room, the fact that the proof at hand compares

MLWE using \Q[X]/(X^256+1) to an _extremely restricted_ type of RLWE

system, one where \Q[X]/(X^256+1) is already present as a subfield.

> 2. That this reduction works only for dimensions that are a power of

> 2, so we can't say anything about Kyber-768 which has a 3x3 matrix A

> (i.e. maybe it's as hard as Kyber with a 2x2 matrix over the same

> ring).

In the absence of further information, one has to guess that the 3x3

case is stronger than the 2x2 case. But this is a weak statement given

that the 2x2 case is already on the bleeding edge against known attacks

and that the 3x3 case claims a _much_ higher security level.

Why resort to some weak 3-to-2 relation instead of talking about how

Kyber relates to some degree-768 extension of \Q[X]/(X^256+1), such as

\Q[X,Y]/(X^256+1,Y^3-Y-X)? Could this be because presenting such an

extension helps the reader realize that the 256*3 -> 768 proof is

restricted to a narrow, specially structured set of degree-768 fields?

> Both of these "objections", however, are counter to a lot of the

> theory that underlies lattice cryptography. (1) contradicts that

> random matrices A are the hard instances and (2) contradicts that

> increasing the dimension makes the lattice problem harder.

This text also seems like a distraction from the elephant.

> So if you're going to state hypotheses that go against established

> theory, you need to have some evidence. Otherwise, one can state anything

> that can't be proved or disproved -- (e.g. do you have concrete proof

> contradicting the Qanon and the covid vaccine conspiracies? No? Then I

> guess you should consider them to be as valid as their negations.)

This level of rhetoric regarding the nature of evidence is in a message

that starts from an outright false assumption regarding the stated

context and ignores an earlier reference to a paper explaining the gap?

Hmmm.

> The difference between saying (1) LWE is hard, but LWR with small

> rounding could be easy and (2) NTRU is hard, but Module-LWE could be

> easy is that (1) does not contradict any of the underlying theory or

> understanding upon which lattice crypto is built, whereas (2) would

> mean that the core of the established theory is wrong.

Please clarify.

What's covered by "the underlying theory or understanding upon which

lattice crypto is built"? Is this excluding, e.g., the original LLL

paper, the original BKZ paper, the original NTRU paper, and many more

years of design and analysis of algorithms? If this excludes papers on,

e.g., class-group computations, then what's the rationale for excluding

those, and how does this avoid making the argument circular?

How precisely would weaknesses triggered by the smallness and special

structure of \Q[X]/(X^256+1) contradict "the established theory"?

It's disturbing to see a message that's so driven by "security proofs"

that it makes a hypothesis that's false regarding the explicit context

and often false for NISTPQC---simply _assuming_ that one is starting

with particular field structures, because this is what has to be done to

make the proof work---and then tries to lead the reader to believe that

the existing "theory and understanding" guarantee the safety of modules,

evidently with no need to even _look_ at what's known about algorithms

exploiting those field structures.

---Dan

Reply all

Reply to author

Forward

0 new messages

Search

Clear search

Close search

Google apps

Main menu