CC BY
13
Operations required for different type of matrix multiplications
Operations List
Matrix multiplication Number of additions Number of multiplications Number of shift operations
Standard 3 2 n3 — n2 3 n3 0
Using companion matrix over F2 n2 — nt — n 0 nt + n
Using companion matrix over Fp n2 — nt — n n2 — nt nt
Lemma 1. Standard matrix multiplication of two n x n matrices requires n3 multiplications, n3 — n2 additions, 2n3 operations in total. The complexity is O(n3),
Lemma 2. Matrix multiplication by a companion matrix of a monic polynomial of degree n over Fp requires nt shift operations, n2 — nt multiplications, and n2 — nt — n additions, 2n2 — nt — n operations in total. Here, t is the number of rows of the companion matrix of the monic polynomial whose tth coefficient is zero. The complexity is O(n2).
Lemma 3. Matrix multiplication by a companion matrix of a monic polynomial of degree n over F2 requires nt + n shift operations and n2 — nt — n additions, n2 operations t
tth O(n2)
REFERENCES
1. Mahalanobis A. Are matrices useful in public-key cryptography? Intern. Math. Forum, 2013, vol. 8, no. 39, pp. 1939-1953.
2. Herstein I. N. Topics in Algebra, 2nd ed. John Wiley k, Sons, 2006.
3. Ghorpade S. R. and Ram S. Block companion Singer cycles, primitive recursive vector sequences and coprime polynomial pairs over finite fields. Finite Fields Their Appl., 2011, vol. 17, no. 5, pp. 461-472.
UDC 519.7 DOI 10.17223/2226308X/16/30
CRYPTANALYSIS OF LWE AND SIS-BASED CRYPTOSYSTEMS BY USING QUANTUM ANNEALING1
A. Qavvum, M. Haris
In the paper, we study lattice-based cryptographic problems, in particular Learning With Errors (LWE) and Short Integer Solution (SIS) lattice problems, which are considered to be known cryptographic primitives that are supposed to be secure against both classical and quantum attacks. We formulated the LWE and SIS problems as Mixed-Integer Programming (MIP) model and then converted them to Quadratic Unconstrained Binary Optimization (QUBO) problem, which can be solved by using a quantum annealer. Quantum annealing searches for the global minimum of an input objective function subjected to the given constraints to optimize the given model. We have estimated the q-bits required for the Quantum Processing Unit (QPU). Our results show that this approach can solve certain instances of the LWE and SIS problems efficiently
Keywords: post-quantum cryptography, lattice-based cryptography, learning with errorss, short integer solution, quadratic unconstraint binary optimization, quantum processing unit.
1The work is supported by the Mathematical Center in Akademgorodok under the agreement No. 075-
15-2022-282 with the Ministry of Science and Higher Education of the Russian Federation.
1. Introduction
Quantum computers hold a promise to solve many computational problems faster than classical computers. Because of this potential, researchers are interested in exploring quantum computing and their implications for different fields including cryptography. The advent of quantum computing has a serious threat to many cryptography foundations. Because of this concern, many researchers have started looking at Post Quantum Cryptography (PQC), In this scenario, the National Institute of Standards and Technology (NIST) motivated and invited researchers to submit the PQC algorithms. After analyzing these submissions, NIST announced the selected algorithms for PQC in 2022, The selected algorithm for public-key encryption and key establishment is CEYSTALS-Kyber [1], The CRYSTALS-DILITHIUM [2], Falcon [3] and the SPHINCS+ [4] are selected for digital signatures. Most of the selected algorithms are based on the lattice. Therefore, we are exploring lattice-based cryptographic problems, specifically Learning with Errors (LWE) and Short Integer Solution (SIS) lattice problems.
Lattice-based cryptography is an asymmetric cryptography that uses mathematical structure called lattice to design cryptographic primitives. Its security is based on the hardness of certain lattice problems, such as the Shortest Vector Problem (SVP), Shortest Independent Vectors Problem (SIVP), Closest Vector Problem (CVP), Short Integer Solution (SIS), and Learning with Errors (LWE) [5]. To solve these lattice problems, there are several methods such as lattice basis reduction, sieving, and enumeration.
In the context of solving SIS and LWE problems, one method is known as lattice basis reduction, which includes algorithms such as LLL [6] and BKZ [7] to reduce the input lattice and extract short basis vectors that can be used to solve SIS and LWE, Another method is sieving, which includes the Gauss-Sieve algorithm [8] and Bloek-Kannan algorithm [9]. This technique is used to exploit the statistical properties and do the sampling from a high-dimensional lattice to find for the vectors close to the origin. The other technique is enumeration, which includes Voronoi algorithm [10], Babai's Nearest Plane [11]. This technique aims to find all lattice points within a certain radius and eliminate the irrelevant vectors.
In the thesis, we investigate the complexity of the implementation of LWE and SIS problems using quantum annealing. We propose Mixed-Integer Programming (MIP) model for SIS and LWE, MIP is a mathematical optimization technique which provides the solution for both discrete decision and continuous variables problems. We used the PuLP library of Python which is a widely-used tool for implementing MIP models. It offers efficient solvers that can effectively address optimization problems, such as our model for SIS and LWE, Furthermore, we convert them to their equivalent QUBO model and estimate the required q-bits,
2. Quantum annealing and adiabatic computing
Quantum annealing is a type of quantum computing that aims to solve optimization problems by minimizing the energy of a physical system. For optimization, quantum annealing searches for the global minimum of the input objective function. Quantum annealer put the states in superposition at the start. Then, these states alter by quantum physics, which is beyond our control. So we give the Quadratic Unconstrained Binary Optimization (QUBO) problem at the beginning, and the configuration at the end corresponds to the solution [12]. Quantum annealing is related to adiabatic quantum computing, which is a specific form of quantum annealing that works on the energy minimization process.
QUBO is a form of binary quadratic model which uses binary variables to represent the problem. It involves finding the values of binary variables that minimize a quadratic function. It is a unique class of equations that corresponds to the design of a quantum processing unit (QPU), The QPU is made up of q-bits and couplers which connect pairs of q-bits. We can consider the q-bits as variables in equation, and couplers as pairs of variables that are multiplied together making up a quadratic equation [13].
3. Learning with Errors (LWE)
A lattice is a geometric structure which contains a set of points in n-dimensional space. It is widely used in different areas of study including lattice-based cryptography, LWE problem is one of the lattice hard problems. It is considered NP-hard, It is used in many cryptographic schemes such as encryption, digital signatures, and key-exchange algorithms. Formally, lattice and LWE are defined as follows:
A lattice L in Rn is a discrete additive sub group of Rn, It is generated by a set of linearly independent vectors bi, b2,..., bn, called a basis for the lattice [14]:
f n
L = < Y, abi: a e Z U=i
In the LWE we have a list of "equations with errors" such that
n
Y^ a1jj Sj ~x b1 (mod q), j=i
n
^ a2j Sj b2 (mod q), j=i
J2am,j Sj ^x bm (mod q), j=i
where i = 1, 2,..., m, q = q(n) ^ poly(n) is prime integer, a1j,a2j ... amj e Zn are chosen independently and uniformly, s e ZJ^^d bi e Zq. The errors ei e Zq in the equations are specified by a probability distribution x : Zq ^ R+ on Zq. The ei e Zp are chosen independently from x [15]- The goal is to find the secret key s given a set of noisy linear equations.
LWE Problem Hardness
LWE is not proven NP-hard problem, but it is as hard as certain worst case lattice problems, such as CVP or SVP, It is proven that LWE is at least as hard as SI VP NP-hard problem [15]. We try to approximate the vector Sj by Zj by:
n
bi = aijSj + ei mod q — actual value, j=i
n
bi = aijZj + ri mod q — predicted value. j=i
Our goal is to minimize the difference between bi and b)i such that the vector Zj becomes close to the vector Sj We choose ri parameter from the same distribution as ei.
Mathematical Model of LWE Problem
Objective function is
m
min Y1 ti.
i= 1
The objective of our optimization model is to minimize the sum of ti variables which we will define in (1) and (2), subjected to the following constraints:
— we ensure that for each j only one Xjk variable can take the value 1 and all other entries will be equal to 0:
q-1
y^j Xjk 1; k=0
— we dehne the value of Zj as a linear combination of the xjk variables:
q-1
zj = (k ■ xjk) ;
k=0
— the main constraint, which defines the LWE problem, is the following:
n
aijZj + ri = Diq + bi
j=1
zj q
Di
— we dehne the value ti; that is the the difference between actual bi and predicted bi; which we want to minimize. The variable Ci is introduced to linearize the equation:
bi — bi = Ciq + ti; (1)
— we set the upper bound for bi:
bi ^ q — 1;
ti
ti ^ q — 1. (2)
The variables belong to the following sets:
Xjk e {0,1}, Ci, Di e Z, Zj, 6i g Zq
The parameters belong to the following sets:
aij ,bi,ri e Zq, i = 1, 2,...,m, j = 1, 2, ...,n, k = 0,1,...,q — 1.
To perform the experiments for the above mathematical model, we fix the parameters Sj e Z^ aij e Zn are chosen independently and uniformly, the parameter error ei e Zq is
bi e Zq
n
aij Sj + ei = Fiq + bi
j=i
where Fi e Zq. After fixing these parameters, we ran our MIP model and obtained the following results (the Table):
n, m, q No. of runs Mean J^tj Max Objective Function Mean J2 sj - zj mod q
3, 4, 23 20 3.15 5 0.25
4, 5, 23 20 2.05 4 0.15
5, 6, 23 20 1.9 3 0.9
6, 7, 23 20 1.75 3 0.45
After verifying our linear mathematical model, we converted it to QUBO model by converting all the variables into binary variables and introducing the quadratic term in the objective function. We also estimated the number of q-bits of our QUBO model by calculating the q-bits for each binary and integer variables used in the objective function and all the subjected constraints.
Proposition 1. The minimal number of qubits required for the implementation of the considered QUBO model of LWE for QPU is at most
3nq + 17mq + m x
log2
n(q - 1)2 + (q - 1)
+
+4m x
n(q - 1)2 + (q - 1)
q
+ 5m |~log2 q] + mn |~log2 q]
The above estimation of q-bits is theoretical. In the future, we will convert our QUBO Model into Ising Model to observe the practical number of q-bits required for QPU with the help of D-wave Ocean Software,
4. Short Integer Solution (SIS)
SIS problem is one of the lattice hard problem. It is widely used in different cryptographic schemes such as encryption, digital signatures, key-exchange algorithms. The security of many lattice-based cryptographic schemes, such as the Ring Learning with Errors (ELWE) scheme, is based on the hardness of the SIS problem. Formally, we can define SIS as follows: Given a matrix A E Znxm with m > n and a positive integer P, find a non-zero vector z E Zn such that:
||z|| ^ P,
Az = 0 mod q,
where P ^ \jm log q, q is a prime integer and ||.|| is Euclidean norm [5],
q
SIS Problem Hardness
SIS problem is not proven NP-hard problem but it is as hard as certain worst case lattice problems, such as CVP or SVP, which are known to be NP-hard problems [5], We want to minimize ||z|| under following constraints:
||z|| ^ P, Az = 0 mod q.
| z|
Mathematical Model of SIS Problem
Objective function is
min EK + vj). j
The objective of our optimization model is to minimize the values of Uj and Vj variables, which we will define in (3), subjected to the following constraints:
we ensure that for each j only one Xjk variable can take the value 1 and all other entries will be 0:
q-1
E (x+fc + j = 1 j = 1,2,...,n;
k=0
— we define the value of Zj, which is a linear combination of the Xjk variables:
q-1
Zj = E k (x+k- j, j = 12,..., n;
k=0
Zj
E aijZj = Ci • q, i = 1, 2,..., m;
u = E kx++k, v
E kx-
k
j = 1, 2,... , n;
(3)
Z
E(«j + v) ^ 1;
we ensure the upper bound of Uj + vj
u.
+ Vj ^ q — 1,
u.
+ Vj ^ в;
zj, Сг
xik, x-k
e {0,1},
uj
,Vj e Z^o
variables; i = 1, 2,
>m j
1, 2,
n,
G Z
k = 0,1,..., q — 1 — parameters.
We converted the above model to QUBO model by converting all the variables into binary variables and introducing the quadratic term in the objective function. We also estimated the number of q-bits of our QUBO Model by calculating the q-bits for each binary and integer variables used in the objective function and all the subjected constraints.
Proposition 2. The minimal number of qubits required for the implementation of the considered QUBO model of SIS for QPU is at most
16nq + 2m x
n(q — 1)2
+ mn |~log2 q]
5. Conclusion
We have investigated the complexity of implementation of LWE and SIS problems using
quantum annealing. First, we introduced the Mixed-Integer Programming model for LWE
and SIS, Next, we presented our experimental results by using Python library called PuLP,
Finally, we formulated our mathematical model into QUBO and estimated the number of q-bits required for the Quantum Processing Unit to perform Quantum Annealing for our QUBO Models, After analyzing the LWE and SIS problem, we can conclude that the eryptanalvsis on the certain instances of LWE problem is possible by using QUBO Model, In
ri
We will convert our QUBO Model into Ising Model to observe the practical number of q-bits
required for QPU with the help of D-wave Ocean Software, We will also try to compare the performance of our quantum annealing-based algorithm with classical lattice algorithms.
Acknowledgment
We would like to express our sincere gratitude to our scientific supervisor A. V, Kutsenko for his guidance and support through out the research process. His valuables remarks play a vital role in shaping the direction of our thesis. We are thankful to him for believing on us and motivating us to achieve the results in our research,
REFERENCES
1. Bos J., DucasL., KiltzE., et al. CRYSTALS-Kvber: a CCA-secure module-lattice-based KEM. IEEE Europ. Svmp. EuroS&P, London, UK, 2018, pp. 353-367.
2. Ducas L., Kiltz E., Lepoint T., et al. Crvstals-dilithium: A lattice-based digital signature scheme. IACR Trans. Cryptographic Hardware Embedded Systems, 2018, no. 1, pp. 238-268.
3. FouqueP.A., HoffsteinJ., KirchnerP., et al. Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Submission to the NIST post-quantum cryptography standardization process, 2018. https://www.di.ens.fr/~prest/Publications/falcon.pdf.
4. Bernstein D. J., Hulsing A., Kolbl S., et al. The SPHINCS+ signature framework. Proc. 2019 ACM SIGSAC Conf. CCS'19, London, UK, 2019, pp. 2129-2146.
5. Peikert C. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci., 2016, vol. 10, no. 4, pp.283-424.
6. Lentra A., Lenstra H., and Lovasz L. Factoring polynomials with rational coefficients. Math. Ann., 1982, vol.261, pp.515-534.
7. Chen Y. and Nguyen P. Q. BKZ 2.0: Better lattice security estimates. LNCS, 2011, vol. 7073, pp.1-20.
8. Ishiguro T., Kiyomoto S., Miyake Y., and Takagi T. Parallel gauss sieve algorithm: Solving the SVP challenge over a 128-dimensional ideal lattice. LNCS, 2014, vol.8383, pp.411-428.
9. Hanrot G. and Stehle D. Improved analysis of Kannan's shortest lattice vector algorithm. LNCS, 2007, vol. 4622, pp. 170-186.
10. Doulgerakis E., LaarhovenT., and de Weger B. Finding closest lattice vectors using approximate voronoi cells. LNCS, 2019, vol. 11505, pp. 3-22.
11. Babai L. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 1986, no. 6, pp. 1-13.
12. Date P., Patton R., Schuman C., and Patok P. Efficiently embedding QUBO problems on adiabatic quantum computers. Quantum Inform. Processing, 2019, no. 18, pp. 1-31.
13. Glover F., Kochenberger G., and Hennig R. Quantum bridge analytics I: a tutorial on formulating and using QUBO models. Ann. Operations Res., 2022, vol. 314, no. 1, pp. 141-183.
14. Micciancio D. and Goldwasser S. Complexity of Lattice Problems. N.Y., Springer, 2002.
15. Regev O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 2009, vol.56, no.6, pp. 1-40.
