Let's see whether, by focusing carefully on one part of the current
lattice religion, we can establish for the record that there's a
completely clear gap between
* what's scientifically justified and
* what this part of the religion says.
Once this is settled, we can then try moving on to another part and
repeating the same process.
As a starting point, I'd like to highlight a particularly obnoxious
religious crusade. The goal of the crusade is to suppress an interesting
line of attack research, specifically the attack idea introduced and
further developed in the following papers:
(1)
https://eprint.iacr.org/2014/784.pdf "Weak instances of PLWE"
(Eisenträger--Hallgren--Lauter, SAC 2014)
(2)
https://eprint.iacr.org/2015/106.pdf "Provably weak instances of
Ring-LWE" (Elias--Lauter--Ozman--Stange, Crypto 2015)
(3)
https://eprint.iacr.org/2015/971.pdf "Attacks on Search RLWE"
(Chen--Lauter--Stange)
(4)
https://eprint.iacr.org/2016/193.pdf "Vulnerable Galois RLWE
families and improved attacks" (Chen--Lauter--Stange)
The attack idea exploits q-dependent ring homomorphisms created by
low-degree factors of the polynomial f mod q. Paper #1 targeted an
extremely narrow set of cases, with many limitations, but paper #2,
paper #3, and paper #4 have been pushing the central attack idea
further, removing various combinations of limitations.
I don't mean to overstate the breadth of the attacks so far---none of
them are things you'd run into by accident---but I doubt that this is
the end of the story of how an attacker can exploit these extra ring
homomorphisms. When I say "extra" I'm comparing to the case that gives
the fewest homomorphisms to the attacker, namely irreducible f mod q.
NTRU Prime, despite mainly being known for choosing f with a large
Galois group, also chooses an "inert" q, i.e., irreducible f mod q. Of
course, taking homomorphisms away from the attacker isn't a guarantee of
security---it's just best-effort risk management, very much like ECRYPT
recommending prime fields for discrete logs a decade ago.
So far this sounds like a common situation in crypto. A new attack idea
is demonstrated in limited cases. Maybe it's the tip of a much larger
iceberg; maybe not. Some designers steer clear; some don't worry. But
why is there a crusade against the papers that explore the attack idea?
The crusaders are starting from the religious notion that factors of f
mod q cannot possibly be a bad thing. There are actually two variants of
this religion:
* Religion version 1: Thou shalt have as many factors of f mod q as
possible, namely deg f linear factors. This allows PROOFS of
security: it guarantees, and cannot possibly damage, security.
* Religion version 2 (newer): The choice of q has been PROVEN to be
irrelevant to Ring-LWE security. To be more precise: Thou shalt
choose f so that there's _some_ split q close to the desired size,
but taking another q of this size is then just fine, and cannot
possibly damage security.
Attacks _exploiting_ factors of f mod q---as the attacks in the above
papers do---are heresy for both religions. That's why the crusaders have
been trying to burn these attack papers.
Beyond simply pushing the general religious tenets, the crusaders have
been pushing a specific myth that _must_ be true if the choice of q
doesn't matter: namely, the myth that everything broken by this line of
research has also been shown to be broken by other attacks that depend
only on the size of q, _not_ on the arithmetic features of q. Why worry
about the choice of q if you believe that the q-specific attacks don't
accomplish anything beyond generic-q attacks?
Let's look more closely at the tiny grains of truth that have been
wildly exaggerated to create this religion:
* Regarding religion version 1: What's true is that some reduction
theorems assume that f splits completely mod q. However, these
theorems have always been compatible with the possibility that such
choices of q are _much less secure_ than other choices of q.
What these theorems say is that a poly-time attack against
Decision-Ring-LWE for split q implies a poly-time attack against
Search-Ring-LWE for split q. There has never been any guarantee of
the _same_ level of security: the two "poly-time" instances can be
quite different. Furthermore, there has never been any guarantee
that Search-Ring-LWE for split q is as secure as Search-Ring-LWE
for other q.
* Regarding religion version 2: What's true (presumably---I haven't
checked the proofs in detail, although the core idea is easy) is
that "modulus switching" provides a poly reduction between
different choices of q. But again there has _never_ been any
guarantee of the _same_ level of security.
All of these theorems have always been entirely compatible with the
possibility that Search-Ring-LWE (and Decision-Ring-LWE and typical
Ring-LWE-based cryptosystems) is _much easier to break for split q_
than for other q---and also with the opposite possibility, or the
neutral possibility.
The bottom line is that the theorems have _never_ scientifically
justified the assertion that choosing split q maximizes security.
* Regarding the attacks: What's true is that _some_ of the cases
broken by this line of attack papers are also broken (at the same
speed or faster) by other attacks that don't depend on q. However,
"some" and "all" are quite different words!
I'm not aware of any dispute regarding the following statements:
For some cases of Ring-LWE, the attacks in these papers---attacks
that rely heavily on the choice of q---are significantly faster
than all other known attacks. Furthermore, this has been the
situation continuously for two years, starting from the publication
of paper #1.
https://eprint.iacr.org/2016/239.pdf "Provably weak instances of
Ring-LWE revisited" (Castryck--Iliashenko--Vercauteren, Eurocrypt
2016) shows that various examples given in paper #2 have error 0 in
certain known output positions, so those cases are very easily
broken by linear algebra. But the authors don't claim that this
attack covers the full scope of #1 and #2, never mind #3 and #4. In
fact, paper #4 explicitly says that its examples "are not directly
attackable using linear algebra, as in the recent paper [CIV]."
https://eprint.iacr.org/2016/351.pdf "How (not) to instantiate
Ring-LWE" (Peikert) gives a "new, unified exposition" of the attack
idea developed in the papers cited above. It's not obvious to me
what's "new" in the attack presentation, aside from superficial
changes of language---e.g., instead of reducing polynomials modulo
a factor of f, this paper uses "reduction modulo an _ideal divisor_
\q of the modulus qR", not mentioning that this is exactly the same
computation. (This is one of quite a few points in the paper where
I found myself thinking that the level of credit was far below what
is scientifically required.)
As far as I can tell, in its central attack---a restatement of the
attacks introduced in the previous papers---this paper uses factors
of f mod q in the same situations where previous papers do, and
uses them in the same ways. Certainly this paper doesn't change the
important point that the best attacks known---for some cases---
depend on exactly these factorizations.
To summarize, the "factors of f mod q can't be bad" religion has a
flimsy scientific justification---theorems that by their own terms are
far too weak to say any such thing. Furthermore, the actual attack
picture for the past two years flatly contradicts the specific myth that
this religion is forced to push regarding EHL-ELOS-CLS.
When I pointed to common myths in a previous message, Peikert accused me
of attacking strawmen. He claimed that it was "suspicious" that I didn't
provide "a single citation or quote". Okay, then, here's an actual quote
from someone pushing religion version 2:
We prove that the arithmetic form of the modulus q is irrelevant to
the computational hardness of LWE and RLWE.
This is quite seriously wrong. Nobody has proven, and nobody has any
credible hope of proving, such a strong theorem. There is a bound on the
security gap, but the bound is definitely not 0.
Here's another example of a quote from someone pushing the specific myth
that the EHL-ELOS-CLS attacks are superseded by attacks independent of
the algebraic structure of q:
The attacks in these works [EHL, ELOS, CLS] were showed to be due to
lack of noise (put differently, LWE with no error is easy).
This quote was followed immediately by citations to CIV and Peikert, and
preceded by a claim that EHL, ELOS, and CLS contained "a significant
amount of algebraic obfuscation." But the quote is amazingly far from
what's scientifically justified:
* The quote is flatly wrong in lumping all of the attack targets into
the CIV "no error" corner.
* Most readers will understand the quote as saying that the attacks
depend _only_ on the noise level, and that's also flatly wrong.
* The quote completely fails to acknowledge the critical algebraic
role of q in the attacks.
What's also interesting is the context: this quote claimed to respond to
NTRU Prime's choice of q being inert. We justified this choice in the
NTRU Prime paper as follows:
Finally, we choose q as an inert prime so that there are no ring
homomorphisms from (\Z/q)[x]/P to any smaller nonzero ring. The
attack strategies of [...] start by applying such homomorphisms; the
attacks are restricted in other ways, but we see no reason to provide
homomorphisms to the attacker in the first place.
A careful reading of Peikert's paper shows that such homomorphisms are
critical for one example after another of the attack that the paper
claims to be an "exposition" of---and yet the paper is being cited as
_opposition_ to considering the algebraic structure of q. How is it
possible for the state of the art to be so massively misrepresented?
My goal here is to clarify the technical issues, not to name culprits
and get bogged down in the question of whether those people are
malicious and/or incompetent. But Peikert seems desperate for me to name
culprits, and I think that it's impossible to avoid wondering about the
Peikert paper mentioned above:
* Why does the paper fail to mention the reduction modulo factors of
f mod q---the idea introduced by EHL, pushed further by ELOS and
CLS, and used in a practically identical way (with minimal credit)
by Peikert---until page 11?
* How will readers who get through only the abstract, or the
introduction, or even the first 10 pages of Peikert's paper, learn
that the factors of f mod q play an essential role at the boundary
between what's known to be broken and what isn't?
* If this "new, unified exposition" is supposed to help people
understand the attacks known today, why does the paper put so
little emphasis on an essential ingredient for those attacks?
Peikert often advocates a holier-than-thou unused fringe corner of
lattice-based cryptography, requiring huge dimensions and huge noise to
be able to prove that attacks with more than (e.g.) a 2^(-20) success
chance in <2^100 operations imply advances in breaking some worst-case
short-vectors-in-ideals problem. So I fully understand that Peikert
wants to emphasize that everything broken in the EHL-ELOS-CLS line of
research so far has significantly smaller noise rates. But how does this
justify an "exposition" deferring a critical algebraic feature of the
attacks to page 11?
Hearing that the attacks (so far) have noise rates below some number is
_vastly_ less helpful for understanding the attack idea than hearing
that the attacks reduce polynomials modulo a factor of f mod q. It's
easy to see how Peikert's "exposition" will deceive people regarding a
quite fundamental aspect of these attacks, especially if those people
are religious acolytes vulnerable to confirmation bias. Peikert should
instead be going out of his way to prominently _disavow_ the "factors of
f mod q can't be bad" religion and distance himself from the crusade.
Pretending that the religion doesn't exist is counterproductive.
Meanwhile Peikert accuses me of "serious false assertions and deep
mischaracterizations about the lattice cryptography literature, along
with poorly thought-through technical claims that fall apart under
inspection," and not correcting these errors, etc. My own view is that
Peikert has established an unfortunate pattern of misrepresenting what
I wrote, criticizing the results, portraying this as criticism of me
personally, and trying to distract people from what I actually wrote.
It's impossible not to notice that two of the messages that Peikert
points to are risk-management analyses of the EHL-ELOS-CLS line of
research. Why does Peikert find this line of research so threatening
that he feels compelled to resort to ad-hominem attacks?
Anyway, my preference---as illustrated in my previous message---is to
simply tackle the content of the myths without getting sidetracked on
the question of who is to blame for the myths. In particular, what
really matters here is not the role of Peikert (or anyone else), but the
fact that small factors of f mod q have been playing a role in the best
attacks known for two years and counting.
---Dan