A Hybrid of Dual and Meet-in-the-Middle Attack on Sparse and Ternary Secret LWE

The dual attack is one of the most efficient attack algorithms for learning with errors (LWE) problem. Recently, an efficient variant of the dual attack for sparse and small secret LWE was reported by Albrecht (Eurocrypt 2017), which forces some LWE-based cryptosystems, especially fully homomorphic encryptions (FHE), to change parameters. In this paper, we propose a new hybrid of dual and meet-in-the-middle (MITM) attack, which outperforms the improved variant on the same LWE parameter regime. To this end, we adapt the MITM attack for NTRU due to Odlyzko to LWE and give a rigorous analysis for it. The performance of our MITM attack depends on the relative size of error and modulus, and hence, for a large modulus LWE samples, our MITM attack works well for quite large error. We then combine our MITM attack with Albrecht’s observation that understands the dual attack as a dimension-error tradeoff, which finally yields our hybrid attack. We also implement a sage module that estimates the attack complexity of our algorithm upon <italic>LWE-estimator</italic>, and our attack shows significant performance improvement for the LWE parameter for FHE. For example, for the LWE problem with dimension <inline-formula> <tex-math notation="LaTeX">$n=2^{15}$ </tex-math></inline-formula>, modulus <inline-formula> <tex-math notation="LaTeX">$q=2^{628}$ </tex-math></inline-formula>, and ternary secret key with Hamming weight 64 which is one parameter set used for <italic>HEAAN</italic> bootstrapping (Eurocrypt 2018), our attack takes 2<sup>112.5</sup> operations and 2<sup>70.6</sup> bit memory, while the previous best attack requires 2<sup>127.2</sup> operations as reported by the <italic>LWE-estimator</italic>.


I. INTRODUCTION
The Learning with Errors (LWE) problem has brought many fruitful applications in the cryptographic world [1]- [7]. The strongest advantage of the LWE problem for cryptosystems is that the LWE problem is provably difficult to solve [1], [2], [8]. In other words, the LWE problem is as intractable as known hard problems of lattices, even in the average cases in the certain parameter regime. Thanks to this property, the LWE problem plays the important role in the cryptography, especially for homomorphic encryptions (HE) [9]- [15]. HE is an encryption scheme that allows computations over encrypted data including additions and multiplications. Since HE enables the operation without knowledge of the message information at all, the need of HE has been boosted with the necessity of entrusting industrial object, such as outsourced computation and privacy-preserving neural networks, without disclosing personal data.
The associate editor coordinating the review of this manuscript and approving it for publication was Yinghui Zhang.
In accordance with this growing attention on HE, some practical variants of LWE problem has been studied to boost the efficiency of HE. First, since the norm of secret vector deeply affects the performance of HE, most of the HE implementations including HElib, SEAL and HEAAN use the ternary 1 secret vectors [16]- [18]. However, those variants of LWE using such small secret vectors currently lie outside of the currently known provable secure parameter regime. That is, the security guarantee for HE implementations is somewhat weaker than the original LWE problem. Moreover, to support infinite numbers of operations, in other words, to have fully homomorphic encryptions, one needs to perform a technique named bootstrapping. Since the performance of bootstrapping depends on the Hamming weight of secret vector, aforementioned HE implementations further uses sparse 2 ternary secret vectors in practice [19]- [21].
In this situation, Albrecht [22] recently pointed out that the security of LWE with (sparse) ternary secret key is far weaker than previous thoughts by suggesting a new variant of the dual attack, which is one of primary solving algorithms for LWE. This attack is covered by a program that gives the estimated bit-security level of queried LWE parameters called LWE-estimator [23], and indeed shows the best performance for LWE parameters used for HE; large modulus and the sparse ternary secret vector.

A. THE DUAL ATTACK
Informally, LWE asks one to determine, given a matrix A ∈ Z m×n q chosen uniformly at random and a vector b ∈ Z n q , whether b is also chosen uniformly at random or of the form b = As + e for some vector s and small error vector e. The dual attack strategy finds a short vector v that is orthogonal to matrix A. Then, by computing v, b , one can guess whether (A, b) is an LWE sample; if b = As+e, one has v, b = v, e mod q, which would be still small if v is sufficiently short.
If the secret vector s is sparse, then the columns of A that correspond to the zero components of s have no influence on b = As + e. Now one can apply the dual attack by choosing some random portion of columns of A, and this strategy also works if all the other columns correspond to zero component part of s. This strategy naturally drops the attack success probability by the guessing success probability, but since the dimension is reduced, it takes shorter time for finding a short vector, which enables one to choose the optimal point where the total attack complexity is minimized.
Albrecht [22] further observed here, although some columns are wrongly guessed, one can compensate it by a brute-force method: Let A be the matrix consisting of the ignored columns of A in the above strategy and s be the part of secret key corresponding to A . Then, one has v, b = vA s + v, e mod q, which can be understood as a new LWE sample (vA , vA s + e ) with e = v, e . In this regard, the dual attack strategy can be considered as a dimension error trade-off. Now, by exhaustively searching possible s to some extent, one can succeed to have v, e even if some guess are incorrect, which increases the attack success probability with proper amount of exhaustive search.

B. OUR CONTRIBUTIONS
In this paper, upon the current dual attack framework, we apply MITM attacks for LWE instead of exhaustive search. For that, we first observe that Odlyzko's MITM attack on NTRU [24] can be easily adapted to the literature of LWE, and we give an explicit algorithm and rigorous analysis for it. The cost of this attack is proportional to the square root of the number of candidate secret vector, while it is less sensitive to the absolute size of error when the ratio of error and modulus is sufficiently small. Thus, this MITM attack is highly appropriate for the trade-offed LWE sample for the large modulus case and from this observation, From this observation, we propose a new hybrid attack of the dual attack and MITM attack. Our hybrid attack shows significant performance improvement on the sparse ternary secret LWE problems, which are used in two homomorphic encryptions HElib [5] and HEAAN [10]. 3 We estimate our attack complexity for several parameters that are in the currently used parameter range for the HEs. This result shows that our attack can solve the sparse ternary secret LWE problems in more than 1000 times faster compared to the previous attacks on average.

C. RELATED WORKS AND DISCUSSIONS 1) OTHER HYBRID ATTACKS
There is another hybrid of lattice reduction and MITM attack proposed by Howgrave-Graham [25], which attacked another primary lattice based problem named NTRU. After then, some series of works have adapted this hybrid attack into LWE problems [26], [28]. These hybrid approaches use lattice reduction to solve closest vector problem (CVP) with Babai's nearest plane algorithm [29], and this is quite different from our usage of lattice reduction. Since these attacks apply MITM strategy on error vector (not secret vector), they only improve for extremely small and non-standard error distribution; such as binary or ternary error.
One may consider modifying the Howgrave-Graham's hybrid attack so that it can be applied for small secrets (not small error), and combining it with the dimension error tradeoff. However, since the success probability of Babai's nearest plane drops doubly exponentially along with dimension of LWE samples, it would be highly inefficient for our interest parameter regime that has quite large dimension (and modulus size). For this reason, we only adapt the original MITM approach of Odlyzko for the following step of dimension-error trade-off.

2) IMPACT ON NIST STANDARDIZATIONS
Our attack has no improvement on small parameters used in the public key cryptosystem, especially on the recent post-quantum cryptography; the dimension error trade-off phase may increase the error bound B so that B/q 2 −10 . In this case, the MITM takes too much time, which makes our hybrid attack only quite ineffective.

D. ROADMAP
In Section 2, we give some preliminaries of this paper and explain related works in detail. In Section 3, we review the details of the several variants of dual attack. In Section 4, we show LWE can be attacked in MITM approach, by giving an efficient method to perform noisy search. After then in Section 5, we see lattice reduction algorithms can be used to trade-off dimension and error of LWE, which leads to a new hybrid attack for LWE. In Section 6, we discuss some results and consequences of our attack.

II. PRELIMINARIES 1) NOTATIONS
We write Z q by the set Z/qZ whose elements are represented in (−q/2, q/2] ∩ Z. Every vector will be denoted by small bold letters, and matrix will be denoted by capital letters. We denote the Euclidean norm of vectors by · , and the maximum norm is distinguished by · ∞ . For a set S, we denote the uniform distribution over S by U(S).
A 0-centered distribution D over Z is said to be (B, ε)-bounded if the probability Pr[|D| ≥ B] is less than ε. We denote a 0-centered discrete Gaussian distribution with width parameter s ∈ R by D Z,s . The following lemma says, for any x ∈ R n , the distribution x, D Z n ,s is (C · s x , 2 · exp(−π · C 2 ))-bounded.
Lemma 1 (Lemma 2.4 of [30]): For any real s > 0 and C > 0, and any x ∈ R n , we have

A. THE LEARNING WITH ERRORS PROBLEM
Let n, q > 0 be integers, s ∈ Z n q and χ be an error distribution over Z. We define a distribution A LWE n,q,χ,s over Z n+1 q obtained by sampling a ← U(Z n q ) and e ← χ , and then computing Given many samples (a i , b i ) from A LWE n,q,χ,s , we can represent it by a matrix (A, b) whose each row corresponds to one sample, and denoted it by LWE samples. Also we define A LWE n,q,α,s as the distribution A LWE n,q,χ,s where χ is a Gaussian distribution D Z,αq for α > 0.
Definition 1 (Learning with Errors): Let S be a distribution over Z n q .
• LWE n,q,χ (S)(or LWE n,q,α (S)) is a problem that asks to find the secret key s, given LWE samples from A LWE n,q,χ,s (or A LWE n,q,α,s ) for a fixed s ← S. • DLWE n,q,χ (S)(or DLWE n,q,α (S)) is a problem that asks to determine that, given arbitrarily many samples (a i , b i ) ∈ Z n+1 q , they are LWE samples from A LWE n,q,χ,s (or A LWE n,q,α,s ) for a fixed s ← S or uniform random samples from U(Z n+1 q ). Note that there is a decision-to-search reduction of LWE problem [1].

1) SPECIAL DISTRIBUTIONS FOR SECRET VECTORS
Several LWE-based cryptosystems takes the secret distribution S by small portion of Z n q to enhance efficiency. In particular, we will focus on the case where S is the set of sparse (signed) binary vectors. For the sake of simplicity, we denote

B. LATTICE REDUCTION AND BKZ ALGORITHM
Let be an m-dimensional lattice. Lattice reduction algorithm is an algorithm to find short basis of using a given basis B of . We say that a lattice reduction algorithm with root-Hermite factor δ 0 returns a short basis whose first vector b 1 has size ≤ δ m 0 · det 1/m . The BKZ algorithm [31] is a commonly used lattice reduction. We assume the followings for BKZ algorithm for this paper.
• BKZ with blocksize β costs cn · t β clock cycles for dimension n lattice, and we put c = 16 according to [22]. We remark that the complexity estimations of our attack and other attacks largely depend on the lattice reduction cost model. In this regard, although we assume a cost model as above, our attack would be described independently from the lattice reduction cost model and then one can estimate our attack cost with their favorite cost model.

III. ALBRECHT'S IMPROVED DUAL ATTACK
In this section, we give a detailed description of the dual attack and its recent variant suggested by Albrecht [22], which is known as the best attack on the underlying LWE problems of fully homomorphic encryptions.

A. SIMPLE DUAL LATTICE ATTACK
The dual lattice attack is an algorithm to solve DLWE n,q,α (S). The main idea of the dual attack is to exploit a short vector in the following orthogonal lattice More precisely, for a short vector y in ⊥ q and an LWE sample (A, b), one has y, b = y, As + e = y, A s + y, e ≡ q y, e and this yields [ y, b ] q = y, e , which is significantly shorter than q. On the other hand, if the given sample (A, b) is uniform random then [ y, b ] q is a random value which is not small compared to the previous case. By applying this procedure for different y's, we obtain the distinguishing algorithm with overwhelming success probability. Thus we can solve the DLWE problem using the smallness of this inner product.
For the LWE cases with small secrets, a natural improvement of dual attack can be obtained by considering the scaled or normal form of dual lattice. More precisely, the scaled normal dual lattice is defined by As in the dual attack, we find a short vector (y 1 , y 2 ) ∈ q,c (A) and then compute the inner product as follows for the LWE sample (A, b = As + e) that allows us to solve the DLWE problem.

1) CHOICE OF c
We take the constant c to satisfy |c · y 2 , s | ≈ E[| y 1 , e |], in order that each summand equally contributes to error e. First we estimate E[| y 1 , e |] ≈ αq √ 2π · y 1 , and then c would be taken to satisfy Although we assume that y is short, Since the exact size of y 1 and y 2 , s are not sure, we heuristically assume that y 1 ≈ m m+n y and | y 2 , s | ≈ h m+n y . Assumption 1: Let y ∈ L c (A) be a short vector obtained from lattice reduction. Then each entry of y has similar size y / √ m + n.

B. IMPROVED DUAL ATTACK
Now we review the improvement on the dual attack on the sparse secret LWE problem [22]. Most of the techniques described in this section are applicable to our hybrid attack.
Hereafter we assume that the secret key s is in B n,h for some h n.

1) ASSUMPTION ON s
To exploit the sparsity of secret key, Albrecht suggests to solve the LWE problem by dual lattice attack with the assumption that some coordinates of secret key are zero. More precisely, parse the matrix A into A 1 ||A 2 for two matrix If the part of secret key that corresponds to A 2 is the zero vector, Then it holds that b = As+e = A 1 s 1 +e, for the parsed secret key s = (s 1 ||s 2 ) ∈ Z n−k q × Z k q such that s 2 = 0. Thus the dual attack on A 1 using (y 1 , y 2 ) ∈ q,c (A 1 ) proceeds Since it is sufficient to run the lattice reduction algorithm in dimension n − k instead of n, this assumption yields the faster time to solve the DLWE problem. The drawback is the probability that the assumption holds; we minimize the product of the inverse of the probability and the time complexity to solve DLWE with this assumption by choosing appropriate k.

2) RELAXED ASSUMPTION
Albrecht introduces another method to relax the assumption. When s 2 = 0, the dual attack on A 1 yields ≡ q y t 1 A 2 s 2 + c · y t 2 s 1 + y t 1 e and c · y t 2 s 1 + y t 1 e is relatively small when the sample is from LWE. We assume that the coordinates of s 2 are all but up to h zero, instead of zero vector. Then the attack is done by searching possible secret s 2 ∈ B \,≤ and check whether y 1 , b − y t 1 A 2 · s 2 is far less than q or not. If there is such s 2 then we decide that the given sample is from LWE.
In this strategy, the probability that assumption holds is highly increased whereas the time complexity is not much increased; in practice the adversary choose h 10 so that the dominated part is the lattice reduction algorithm. Thus this relaxation induces the smaller estimated security of LWE. We remark that this approach can be viewed as a tradeoff between dimension and error, as also noted by Albrecht.

3) AMORTIZED COSTS FOR LATTICE REDUCTIONS
To verify the guessed s 2 is correct or not, we should obtain several short (y 1 , y 2 ) ∈ q,c (A 1 ). To obtain several short vectors of similar length in a given lattice , the easiest way would be repeating a lattice reduction that yields root Hermite factor δ 0 , which gives vectors v i of length less than δ m 0 · det 1/m . Instead, Albrecht suggested a way that performs one expensive lattice reduction (e.g. BKZ β ) on given basis to have a sufficiently short basis B, and apply cheap lattice reductions (e.g. LLL) repeatedly while re-randomizing the short basis B by multiplying some short and sparse unimodular matrix U . Using sufficiently short and sparse U , the short vectors v i obtained by this cheap lattice reduction which is estimated by For more details we refer [22,Section 3].
To obtain statistically independent (y 1 , y 2 ) ∈ q,c (A 1 ), we have to assume that we can obtain arbitrarily many samples of DLWE. On the other hand, in many actual uses of LWE problem, there are only bounded number of samples (A, b) are given; typically the number of samples would be m = O(n). In this case we instead sample several short vectors y i = (y i,1 ||y i,2 ) in a fixed lattice q,c (A 1 ). One can perform BKZ algorithm iteratively with re-randomizing basis, or can perform LLL algorithm iteratively according to the amortizing technique.
• Iterating BKZ: For a basis B of q,c (A 1 ), iteratively perform BKZ on B · U while randomly sample arbitrary unimodular U .
• Iterating LLL: Perform BKZ on B to have B BKZ . Randomly sample a small and sparse unimodular U , and run LLL on B BKZ · U to have a short vector. Repeat this while changing unimodular U . However, if we use the same lattice q,c (A 1 ), new k-dimensional samples are not independent to each other anymore, since y i comes from the same lattice q,c (A 1 ). Thus we heuristically assume that, the short vectors y i ∈ c (A 1 ) are independent to each other, that is, we still obtain LWE k,q,χ samples from y i . Assumption 2: Each iterative call of BKZ (or LLL) algorithm for randomized basis of q,c (A 1 ) gives an independent short vector y i .

IV. MEET-IN-THE-MIDDLE ATTACK ON LWE
In this section, we describe an attack algorithm to solve LWE by meet-in-the-middle strategy. Let (A, b) ∈ Z m×(n+1) q be DLWE n,q,α (B n,≤h ) samples with secret vector s. For the MITM approach, it is natural to consider the noisy relation for some s 1 ∈ B n,≤h/2 and s 2 ∈ B n,≤h/2 satisfying s = s 1 +s 2 . We first prepare a table q is close to the set T where such closeness depends on the size of error e. Now, if such case occurs for some v 2 , then we can expect that the vector v 2 is the right half of secret s. Otherwise, we cannot see such case for all possible v 2 , we conclude that the given sample is from the uniform distribution.
In this approach, finding an element in T that is close to b − Av 2 ∈ Z m q is the main task. A simple exhaustive method that checks every close vector to b − Av 2 ∈ Z m q surely works, but it costs too much time. We here resolve it by a search algorithm in the presence of noise that uses a locality sensitive hashing-like technique, which is adapted from Odlyzko's MITM attack on NTRU [24].
Before explaining our algorithm, we would like to remark that this MITM attack alone does not affect the practical parameter choice of the current schemes, but this attack serves as a main subroutine of our hybrid attack algorithm that will be introduced in Section 5.

4) REMARK
To the best of our knowledge, there has been two papers that mentioned the MITM approach on LWE, but both of them are problematic; Bai and Galbraith [34] mentioned that there is a MITM attack on LWE, but they do not give the explicit algorithm, and Albrecht et al. [23] presented a MITM attack on LWE based on lexicographic order sorting, which has a flaw in the analysis. We describe this flaw in Appendix. We note that a very similar algorithm is considered in a different context; for example the inhomogeneous short integer solution problem under the name approximate merge algorithm.

A. NOISY COLLISION SEARCH
For a vector a ∈ Z m q , we call a vector t ∈ Z m q by B-noisy collision of a if a − t ∞ ≤ B for some B < q/2. Consider a set T ⊂ Z m q and a vector a ∈ Z m q . Our purpose is to determine whether there is a B-noisy collision t of a in S, and if so returns such vector t. We mainly exploits a simple locality sensitive hashing sgn : Z q → {0, 1}, which defined as sgn(x) = 1 for x ∈ [0, q/2) and 0 otherwise. For every B-noisy collision t = (t i ) of a = (a i ), the sign of i-th entries sgn(a i ) and sgn(b i ) must coincide if a i ∈ V B := For a vector a = (a i ) ∈ Z m q , define an index set I a := {i : a i ∈ V B }, and define a function sgn : Z q → {0, 1, x} that returns sgn(a) if a ∈ V B , and otherwise x. Then from the above observation, we have the following fact that becomes a foundation of our algorithm If T has a B-noisy collision of a, then there is a binary string (b 1 , · · · , b m ) ∈ sgn(T ) such that b i = sgn (a i ) for every index i in I a .

1) DETAILED ALGORITHMS
We give two algorithms Preprocess and Search, where the former literally preprocess the set T , and the latter investigate whether T has a B-noisy collision of input a ∈ Z m q .  2) Return ⊥.

2) ALGORITHM ANALYSIS
First, the following proposition asserts that our algorithm can find the B-noisy collision, if exists.

In particular, every returned vector is a B-noisy collision of a.
Proof: The second claim is immediate. For the first claim, one direction is clear since the output vector itself is a noisy collision in T . Conversely, suppose that T has a noisy collision t. Since sgn(t) would be one of strings obtained from sgn (a), it outputs t unless it terminates before then with some vector t .
To investigate the (time) cost of Algorithms, we presents some lemmas. Next we claim that by Heuristic 1, if m is sufficiently large, 5 the computation of · ∞ almost never occur for a randomly chosen query a ∈ Z m q . Heuristic 1: Let m, q > 0 be positive integers and B ∈ (0, q/4), and consider T ⊂ Z m q whose element is sampled from uniform distribution. Let H be output of Preprocess then for a random vector a ← Z m q , the probability that Search never computes · ∞ norm is ≥ 1 − 1/|T |.
We justify the heuristic as follows: Since |I a | = m(1 − 4B/q) for random a ∈ Z m q on average by Lemma 2, we heuristically assume that Search visits 2 4mB/q indexes. Considering all above, we assess the total time cost in Table 1.

B. NOISY MEET-IN-THE-MIDDLE ATTACK ON LWE
We now present a (noisy) MITM attack for LWE, using noisy collision search. Formal description is given by Algorithm 1. We would like to remark that, since we mainly exploit this algorithm as a subroutine of the main hybrid attack for DLWE, Algorithm 1 is also described for DLWE although it can actually solve the search version of LWE. Here, we define if Search on input (H, v, B) returns a vector, then return 1 5: end for 6: return 0 Proof: If input (A, b) is LWE sample with sparse ternary secret s ∈ B n,≤h 1 +h 2 , we exhaustively run the noise search on v 1 ∈ B n,t 1 for t 1 ≤ h 1 and v 2 ∈ B n,t 2 for t 2 ≤ h 1 . These search should find (s 1 , s 2 ) such that s = s 1 + s 2 and in this case the following equations holds: Since Algorithm 1 returns 1 if e ∞ ≤ B and each coordinate of error e follows χ, we conclude the algorithm succeeds with probability ≥ (1 − ε) m .
To apply the analyses of noisy collision search, we need the following assumption that says that the vectors in table and queries are randomly distributed over Z m q . Assumption 3: For a fixed matrix A ∈ Z m×n q , a distribution of vectors of the form As where s ← B n,≤h is sufficiently close to the uniform distribution over Z m q .

Proposition 3: Suppose that Assumption 3 holds. Then for a uniformly random matrix
where N T (n, h 1 ) and N q (n, h 2 ) denotes the number of vectors in table and the number of query.
Proof: By Assumption 3, we consider every query v = b − Av 2 as a random sample from Z m q . Then again from the assumption, the set T is randomly distributed on Z m q , and we conclude that the probability that a B-noisy collision of v is in T is less than N T (2B/q) m . Since we try at most N q queries, the claim holds.
Clearly, the time complexity of Algorithm 1 is the sum of table construction and Preprocess time T pre , and total noisy search time T search . Clearly, the size of table N T and the number of query N q is given by for given h 1 , h 2 . Finally, by supposing Assumption 3 holds and the condition for m (1), we have the following cost estimation.
• T pre consists of N T · n 2 operations over Z q on constructing table T , and Preprocess also requires N T · m operations.
• Since each Search call for each query costs 2 4mB/q in average, we have T search = O(N q · 2 4mB/q ).

V. A NEW HYBRID ATTACK FOR THE LWE PROBLEM
In this section, we propose a hybrid attack that combines lattice reduction and the MITM attack. More precisely, we use dual attack as a trade-off method for LWE sample, which increases the error size and reduces dimension and Hamming weight of secret vector. Since MITM attack of the previous section cost heavily depends on the dimension of secret vector but less sensitive to error size, this trade-off largely decreases the MITM attack cost.

A. DIMENSION-ERROR TRADE-OFF OF LWE
In this section we interpret Albrecht's dual attack as dimension-error trade-off with detailed analysis. For given LWE samples (A, b) ∈ Z m×(n+1) q from A LWE n,q,α,s for k < n, divide A into A 1 and A 2 consisting of the first n − k columns and the remaining k columns. For any vectors (y 1 , y 2 ) ∈ q,c (A 1 ), it holds that where s 2 is the last k entries of s. Now, if (y 1 , y 2 ) is sufficiently short to satisfy y 1 , e , y 2 , s 1 q, we have a new LWE-like sample (y 1 t A 2 , y 1 , b ) = (a , a , s 2 + e ) ∈ Z k+1 q , with new secret vector s 2 and error e = c · y 2 , s 1 + y 1 , e .
We now have Algorithm 2 for the dimension-error tradeoff, while assuming Assumption 1 to justify the choice for c in Section 3.1. In other words, we choose c = αq √ 2π · y 1 | y 2 ,s 1 | and assume that each entry of y has similar size y / √ m + n. We formally state that Algorithm 2 can serve a trade-off algorithm on the LWE problem as follows.

1) AMORTIZING AND HEURISTIC FOR ALGORITHM 2
We remark that Albrecht's amortizing technique and heuristic assumption described in Section 3 works well for this tradeoff. More precisely, the amortizing technique reduces the time cost for multiple run of tradeoff algorithm into, essentially, the time cost of one run of Algorithm 2. On the other hand, we can obtain arbitrary many independent trade-offed LWE samples from the bounded number, e.g. m = O(n), of given LWE samples under the heuristic assumption. We employ these techniques in the hybrid attack and estimation as well.

B. OUR HYBRID ATTACK
Now we are able to describe our hybrid attack, which is formally written in Algorithm 3. We first explain how to choose parameters m and τ optimally from inputs. The concrete formula for each parameters can be found in Appendix VIII.
• The number of n-dim DLWE samples m is set to minimize the short vectors obtained from BKZ δ 0 .
• The error bound B is subsequently obtained from m by Proposition 4.
Proof: Let the secret vector s be s = (s 1 s 2 ) which is separated as y = (y 1 y 2 ). This means that we run Algorithm 1 by input (A , b ), which has s 2 as its LWE secret. Thus Algorithm 1 returns 1 if and only if HW(s 2 ) ≤ h 1 + h 2 . This probability is From the choice of B and Proposition 4, we get a p = (1 − 2e −4π ) m · p . Under the amortizing technique and heuristic assumption, the time cost of the trade-off phase is approximately one lattice reduction, and the condition sufficiently many 7 We note that the parameter τ does not critically affect to the performance when we use the amortization technique. Hence we choose τ as in heuristical computation. is removed. Overall, the total time complexity of Algorithm 3 is dominated by the sum of lattice reduction time T lat and Algorithm 1 time T pre + T search . Since we take τ according to Heuristic 1, the table 2 is also applicable to this case, which yields the following time cost table with the amortizing technique.

VI. ATTACK COMPLEXITY ESTIMATION
In the previous sections, we analyze the running time T and success probability p of our attack for given parameters k, h 1 , h 2 . In this section, we show estimations of the bitsecurity 8 of the LWE problem with respect to our attack by log T − log p (4) for optimized selections of k, h 1 , h 2 to minimize the above bit-security of the LWE problem.
We implement an estimator that computes the optimized bit-security of the LWE problem against our hybrid attack 9 by appropriately choosing δ 0 , k, h 1 , h 2 . We assume the followings for our complexity estimation.
• The costs of table look-up and linked list insertion are equal to one ring operation in Z q in the estimator.
• The cost of Search algorithm is estimated by 2 4mB/q . • The amortizing technique and heuristic assumption discussed in Section 3 and 5 are also applied. As an example, we give table 4 that estimates our attack complexity by running estimator code for sparse ternary LWE problems for various n and q while α and h is fixed by 8/q and 64. We remark that those large scale parameters are actually being used for many applications [21], [35]- [37], but not all of them use sparse secret. The 'best' row comes from LWE-estimator version 2019-2-14 with BKZ.sieve model [23].
Our attack shows better performance than the current best attack (Albrecht's dual attack) for modulus q ≥ 2 40 , however it is reversed for smaller modulus. In this regard, we note that Albrecht's dual attack that can be regarded as a special case of our attack with h 1 = 0, and hence, if we investigate all possible parameter range in our code, our algorithm must outperform Albrecht's dual attack. However it takes too much time to check all possible parameter ranges, and we instead investigate plausible range of parameters; our code only explores 8 Although there is no formal definition for bit-security, (4) is one of generally accepted methods. Indeed, the widely used LWE attack complexity estimator LWE-estimator [23] also compute the bit-security according to (4). 9 Code can be found at github.com/swanhong/HybridLWEAttack. Besides bit-security estimation, we also confirm that our attack actually works by implementing it, whose code can also be found in the same page. the parameter regime that h 1 , h 2 h/2, and this may not capture the real optimal point. Meanwhile, the estimations for small modulus q size implies the exhaustive search is better than the MITM approach for that parameter, which seems weird at first glance. However this enough make sense because our MITM algorithm runtime exponentially grows with B/q, where B is the error size. Then, to have small B/q after the dimension-error trade-off, we may have to find shorter vectors in the lattice reduction stage than Albrecht's dual attack. Particularly for small modulus q, the additional cost for finding such shorter vector offsets the benefit of MITM approach, and finally the results in table 4 occurs.
Our attack claims that fully homomorphic encryption implementations that uses the sparse ternary LWE problem with large modulus q should change the parameter selection. In particular, HElib [16] and HEAAN [18] use the sparse ternary secret basically. SEAL [17] uses the (non-sparse) ternary secret key but the paper [20] that supports bootstrapping for SEAL also uses the sparse ternary secret vector. On the other hand, for the Post-Quantum Cryptography Standardization held by NIST, our attack cannot make any impact on those schemes since they use too small parameter size, although there are some LWE-based schemes using sparse secret.

VII. A FLAW OF MEET-IN-THE-MIDDLE ATTACK IN [23] ON LWE
Albrecht et al. [23] consider a meet-in-the-middle (MITM) attack on LWE based on lexicographic order sorting, but it has a significant flaw in the analysis. We discuss the flaw in this section.
The purpose of the MITM attack in [23] is to find (s 1 |s 2 ) = s for s 1 , s 2 ∈ Z n/2 q . The attack proceeds as follows: • for given DLWE sample (A, b) ∈ Z m×(n+1) q with secret vector s, parse A into (A 1 , A 2 ) for A 1 ∈ Z m×n/2 q and A 2 ∈ Z m×n/2 q , and store A 1 t 1 for every possible left candidate t 1 ∈ Z n/2 q in lexicographic order. • for each right candidate t 2 ∈ Z n/2 q , insert b − A 2 t 2 in the list by binary search and then check that two adjacent vectors A 1 t 1 satisfy whether (t 1 |t 2 ) = s. Unfortunately, this approach may fail to output appropriate (s 1 |s 2 ) since we cannot guarantee that b − A 2 s 2 and A 1 s 1 are the nearest pair in the lexicographic order; there might exist many different elements in the list such that the (lexicographical) distance from b − A 2 s 2 is less than the distance between b − A 2 s 2 and A 1 s 1 . This flaw comes from the fact that lexicographic order only ensures that two adjacent vectors have very near entries for some first few coordinates, and for the other coordinates it does not ensure anything. In particular, these elements make the success probability of algorithm be negligibly small in practice.
More precisely, suppose that A 1 t's are uniformly, independently distributed and the first coordinates of b − A 2 s 2 and A 1 s 1 have a difference B > 0. Then the probability that each A 1 t are nearer to b − A 2 s 2 than A 1 s 1 is at least (2B − 1)/q. Since those probabilities are independent, the probability that there is such A 1 t in the (lexicographic order) list is 1 − ((2B − 1)/q) T for the size of list T , which is very close to 1 even for polynomially large T . (The size of T is usually exponentially large.) Hence the probability that the algorithm success is also negligible.