Improved Meet-LWE attack and Its Implication to SMAUG-T Parameters
71 views
Skip to first unread message
이주희 (융합보안공학과)
Jun 13, 2024, 10:17:30 PMJun 13
to KpqC-bulletin
Dear all,
Hi,
I'm happy to share our recent paper posted at IACR eprint (https://eprint.iacr.org/2024/824) that aims to improve May's Meet-LWE attack and present some results for the efficient PQC schemes.
We would like to report that the results on SMAUG-T, NTRU+ parameters of our attack show reduced time/memory complexity compared to the May's attack.
For example, the estimated time complexities of our attack on SMAUG-T parameters {TiMER, SMAUG-T128, SMAUG-T192,SMAUG-T256} are 122, 147, 182, and 231 bits, respectively.
According to the Table 2 in the SMAUG-T document, the time complexities for Meet-LWE are reported as 144, 164, 214, and 283 bits, respectively.
Hence, to achieve the similar estimation of security in bits against our attack with the attack costs 'beyond Core-SVP' in their Table 3 in the SMAUG-T document , we recommend to raise the Hamming weight parameter (min(h_s, h_r)) to 114, 192, and 225 for the parameter sets TiMER, SMAUG-T192, and SMAUG-T256, respectively.
If you have any questions or comments, please let me know.
Best regards,
Joohee Lee, Eunmin Lee, Yuntao Wang.
Hi,
I'm happy to share our recent paper posted at IACR eprint (https://eprint.iacr.org/2024/824) that aims to improve May's Meet-LWE attack and present some results for the efficient PQC schemes.
We would like to report that the results on SMAUG-T, NTRU+ parameters of our attack show reduced time/memory complexity compared to the May's attack.
For example, the estimated time complexities of our attack on SMAUG-T parameters {TiMER, SMAUG-T128, SMAUG-T192,SMAUG-T256} are 122, 147, 182, and 231 bits, respectively.
According to the Table 2 in the SMAUG-T document, the time complexities for Meet-LWE are reported as 144, 164, 214, and 283 bits, respectively.
Hence, to achieve the similar estimation of security in bits against our attack with the attack costs 'beyond Core-SVP' in their Table 3 in the SMAUG-T document , we recommend to raise the Hamming weight parameter (min(h_s, h_r)) to 114, 192, and 225 for the parameter sets TiMER, SMAUG-T192, and SMAUG-T256, respectively.
If you have any questions or comments, please let me know.
Best regards,
Joohee Lee, Eunmin Lee, Yuntao Wang.
Reply all
Reply to author
Forward
0 new messages