Security Analysis of Integer Learning with Errors with Rejection Sampling

TL;DR

This paper investigates the effectiveness of a linear algebra-based attack on small ILWE instances used in digital signatures like CRYSTALS-Dilithium, combining theoretical analysis and experiments to assess security.

Contribution

It introduces novel simulation techniques and directly applies the attack to real-world signature schemes, providing new insights into their security against ILWE-based attacks.

Findings

The attack is less effective on small ILWE instances in practical schemes.

Experimental results support the security of ILWE-based signatures.

The study offers new methods for simulating ILWE attacks efficiently.

Abstract

At ASIACRYPT 2018, a digital attack based on linear least squares was introduced for a variant of the learning with errors (LWE) problem which omits modular reduction known as the integer learning with errors problem (ILWE). In this paper, we present a theoretical and experimental study of the effectiveness of the attack when applied directly to small parameter ILWE instances found in popular digital signature schemes such as CRYSTALS-Dilithium which utilize rejection sampling. Unlike other studies which form ILWE instances based on additional information obtained from side-channel attacks, we take a more direct approach to the problem by constructing our ILWE instance from only the obtained signatures. We outline and introduce novel techniques in our simulation designs such as modular polynomial arithmetic via matrices in $\mathbb{R}$, as well as algorithms for handling large sample sizes efficiently. Our experimental results reinforce the proclaimed security of signature schemes based on ILWE. We additionally discuss the implications of our work and digital signatures as a whole in regards to real-world applications such as in Intelligent Transportation Systems (ITS).