Analysis on Aigis ‐ Enc: Asymmetrical and symmetrical

Aigis ‐ Enc is an encryption algorithm based on asymmetrical learning with errors (LWE). A thorough comparison between Aigis ‐ Enc (with the recommended parameters) and a symmetrical LWE encryption scheme on the same scale (the sampling parameters are { η 1 , η 2 } ¼ {2, 2} instead of {1, 4}) on Chosen ‐ plaintext attack (CPA) security, computation complexity and decryption failure probability is made. In particular, the authors ascertain that the CPA security of Aigis ‐ Enc is 160.895, and that of the symmetrical LWE encryption scheme on the same scale is 161.834. The ratio of computation complexity on the sampling amount of the former and the latter is 5:4 in the key generation phase and 19:14 in the encryption phase. The decryption failure probability of the former is 2 (cid:0) 128.699 and that of the latter is 2 (cid:0) 67.0582 , then the authors show how to reduce the decryption failure probability of the latter significantly by increasing some traffic. Furthermore, those attacks presented by designers of Aigis ‐ Enc, including primal attacks and dual attacks are generalised. Our attacks are more extensive, simpler, and clearer. With them, the optimal attacks and the ‘optimal ‐ optimal attacks’ on Aigis ‐ Enc and the symmetrical LWE scheme on the same scale are obtained.

former's is 2 À 128.699 , the latter's is 2 À 67.0582 . The comparison seems to be dramatic. But in fact, we can slightly increase some traffic to keep failure probability unchanged. In other words, by compressing less to keep decryption failure probability unchanged. In particular, we change the compression parameters d 1 ; d 2 ; d 3 ð Þ from 9; 9; 4 ð Þ to 10; 10; 4 ð Þ, which means a large part of the public key remains the same, the small part of the public key changes from 9 bits per entry into 10 bits. A large part of the ciphertext changes from 9 bits per entry into 10 bits, the small part of the ciphertext remains the same. Thus, the communication traffic increases less than 1 9 , while the decryption failure probability is lower than 2 À 128.699 .
We generalise those attacks presented by designers of Aigis-Enc, including primal attacks and dual attacks. More detailedly, our attacks are more extensive, simpler, and clearer. With them, we obtain the optimal attacks and the 'optimaloptimal attack' on Aigis-Enc and the symmetrical LWE scheme on the same scale.

| Conventions and some special notations
Due to the module learning with errors [13,14] structure Aigis-Enc has, we use some special notations to simplify our expression.
We name the square matrix a 0 a 1 ⋯ a 255 À a 255 a 0 ⋯ a 254 ⋮ ⋮ ⋱ ⋮ À a 1 À a 2 ⋯ a 0 and name it the transpose of vector v.
It is easy to see that, if u, v are two 256-dimension or two 768-dimension column vectors, Probability distribution b η is a centred binomial distribution with parameter η. In particular b 1 is the probability dis- Modulus q ¼ 7681.

| Aigis-Enc with the recommended parameters: Without compression
q is a special matrix which is generated from nine 256 � 256 rotation matrices arranged in a 3 � 3 way with arbitrary order.
The public key is (A, b), and the secret key is s.
Encryption: first, transform matrix A to A T , where A T is the 'transpose matrix' of A with respect to the 256 � 256 rotation sub-matrices (rather than with respect to entries).
Given a plaintext column vector μ ¼ where r→ Obtain q is a special matrix which is generated from nine 256 � 256 rotation matrices arranged in a 3 � 3 way with arbitrary order.
The public key is (A, b), and the secret key is s.
Encryption: transform matrix A to A T . Given a plaintext column vector μ ¼ A , calculate the ciphertext c 1 ; c 2 f g, where r→ Obtain

| Symmetrical LWE scheme on the same scale: With and without compression
The scheme is almost the same as Aigis-Enc. The only difference is the sampling parameters {η 1 ,

| Scenario 1 and resource
We randomly choose two plaintexts μ (1) and μ (2) and send them to the Oracle. The Oracle randomly chooses one to encrypt and return the ciphertext to us. Then we guess in {μ (1) , μ (2) } which plaintext is encrypted. When we obtain the returned ciphertext {c 1 , c 2 }, correct guess on the value of μ (i) enables us to acquire 1024 LWE samples: in Equation (5)

| Scenario 3 and resource
From public key we obtain the following 768 LWE samples: in Equation (7)

| Advantaged scenario and resource
Because the noise vector in Scenario 2 is larger than that in Scenario 1, and in Scenario 3 we obtain fewer LWE samples than in Scenario 1, we believe Scenario 1 is the advantaged attack scenario.

| Traditional primal attack
d ∈{770, 771, …, 1025}, we consider the d-dimension lattice generated by the column vectors of the below matrix B.
In Equation (8), T(b)* is the matrix constructed from d À 769 rows of T(b), c 3 ð Þ � is the vector constructed from the corresponding d − 769 components of c 3 , μ (i) is the correct plaintext. Note that the d − 769 rows of the matrix chosen can be arbitrary as long as these rows are linearly independent. But the following d − 769 rows from other matrices are chosen corresponding to which rows we chose in the first matrix. c > 0, t > 0, c; t ð Þ are the tunable parameters. We also know c ⋅ r T ; x �T 2 ; t À � T is a small vector of the regarding lattice, where x � 2 is the vector constructed from d − 769 components of the encryption noise vector x 2 . The size of the small vector is ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi approximately. The aim of the attack is to find the small vector. It isn't difficult to see 'the traditional primal attack' [15][16][17] the designers of Aigis-Enc proposed is included in our traditional primal attack.

| Transformed primal attack
d ∈ {770, 771, …, 1793}, we consider the lattice generated by the column vectors of the below matrix B.

| Optimal primal attack
The classic complexity of our primal attack is 2 0.292b (the quantum complexity is 2 0.265b ), the parameter b is as small as possible, while satisfying b ∈ [100, d] and The above inequality comes from the work of previous contributors [4,20], we no longer take time to verify its rationality. Notice the following five facts: (1) The left part of Equation (11) is independent of the tunable parameters c; t ð Þ (2) The left part of Equation (11)   In other words, the primal attack using (c 0 , t 0 ) as parameters is the optimal primal attack. Fortunately, f(c, t) does have a single stationary point (c 0 , t 0 ) in {c > 0, t > 0}, where Notice that the stationary point (c 0 , t 0 ) is independent of dimension d. Therefore, we obtain Proposition 1:

| The comparison of the complexity of the optimal primal attack and 'the optimaloptimal primal attack'
For each d ∈ {1022, …, 1793}, we can compute a corresponding b with Equations (11)- (13). Therefore, as is shown in Figure 1, with the data we obtain, we can draw a line graphic in which the x axis is the dimension d, and the y axis is the classic complexity of the optimal primal attack. Note that the scale on the y axis is the exponent part of the complexity (e.g. 165 on the y axis represent the complexity of 2 165 ). The minimum points on the curves are marked. In order to make the result more intuitively, we choose 13 sets of data in Table 1. Under 13 different values of d, we list the classic complexity of the optimal primal attack on Aigis-Enc and the symmetrical LWE scheme on the same scale. The so-called optimal-optimal primal attack is the optimal primal attack with a further optimised dimension d. It can be observed in Table 1 and Figure 1 that the complexity of the 'optimal-optimal primal attack' on Aigis-Enc is 2 162.54 , that on the symmetrical LWE scheme on the same scale is 2 163.436 .

| Our dual attack
We consider the following 768 'trivial LWE samples': where o ∈ Z 768 q is a column vector which components are all 0s. Therefore, we have the following 1792 LWE samples in total: is a matrix which entries are all 0s. Now the rationality of Lemma 1 is obvious. Lemma 1: For any real number c > 0, Þ is a matrix which entries are all 0s.
(2) We have the following Equation (17): We consider the lattice generated by the row vectors of the below matrix (B): where c > 0 is a tunable parameter. From Lemma 1 (1), this lattice is the entire set of row vectors v which satisfy The aim of our attack is to distinguish v r 1 c Þ from some uniform value. Our attack includes all the dual attacks the designers of Aigis-Enc proposed, including 'the traditional dual attack' [21], 'the transformed dual attack 1', 'the transformed dual attack 2', [19] and 'the transformed dual attack 3' [22]. To be more specific: (1) 'The traditional dual attack' and 'the transformed dual attack 1' the designers of Aigis-Enc proposed is equivalent to our dual attack when c = 1; 'The transformed dual attack 3' the designers of Aigis-Enc proposed is equivalent to our dual attack when c ¼ 2 ffi ffi ffi ffi ffi ffi ffi ffi ffi (2) 'The transformed dual attack 2' the designers of Aigis-Enc proposed is equivalent to our dual attack when c = 2.
Although it indeed is the optimal dual attack on Aigis-Enc, but they only declare the attack is superior to the attack when c = 1.

| Optimal dual attack
In the work of previous contributors [4], the researchers use the complexity of solving b-dimension sub-lattice shortest vector problem to estimate the complexity of finding the shortest vector in the d-dimension lattice conservatively. With the model they construct, the researchers conclude that the complexity of the dual attack is max 1; expð4π 2 τ 2 Þ 2 0:2075⋅b ⋅ 16 where τ ¼ ℓ⋅ℓ 0 ffi ffi The size of the small vector v on the lattice is estimated to Abbreviation: LWE, learning with errors.

-
Therefore, if a single stationary point of ℓ ⋅ ℓ 0 in c > 0 exists, it will be the global minimum point where the classic complexity of dual attack is the lowest. In ref. [19], the contributor indicates that when η 1 ¼ η 2 , the single stationary point is c ¼ 1, that means the parameter of the optimal dual attack is c ¼ 1. The designers of Aigis-Enc indicate that when η 1 ; η 2 ð Þ ¼ 1; 4 ð Þ, the dual attack can be more effective if we choose c ¼ 2 rather than c ¼ 1. Our conclusion is the following Proposition 2. The value of c is determined, it is time to determine the value of (b) Since we only have b ≤ d, the value of b is hard to be determined. Therefore, we make a conservative estimation, its classic complexity is 5.3 | The comparison of the complexity of the optimal dual attack and the 'optimaloptimal dual attack' It is trivial to obtain that the classic complexity of the optimal dual attack on Aigis-Enc is min 100≤b≤d max 1; exp 4π 2 τ 2 1 À � where and that on the symmetrical LWE scheme on the same scale is min 100≤b≤d max 1; exp 4π 2 τ 2 2 À � 2 0:2075b ⋅ 16 where Therefore, the rationality of below Proposition 3 is obvious.
Proposition 3 When dimension d < 1536, the classic complexity of the optimal dual attack on Aigis is no higher than that on the symmetrical LWE scheme on the same scale; when dimension d ≥ 1536, the classic complexity of the optimal dual attack on Aigis is no lower than that on the symmetrical LWE scheme on the same scale.
For each d ∈ {1022, …, 1793}, we can compute a corresponding b with Equations (24)-(28). Therefore, as is shown in Figure 2, with the data we obtain, we can draw a line graphic in which the x axis is the dimension d, and the y axis is the classic complexity of the optimal dual attack. The minimums on the curves are marked. In order to make the result more intuitively, we choose 13 sets of data in Table 2. Under 13 different values of d, we list the classic complexity of the optimal dual attack on Aigis-Enc and the symmetrical LWE scheme on the same scale.
It can be observed in Table 2 and Figure 2 that the complexity of the 'optimal-optimal dual attack' on Aigis-Enc is 2 160.895 , that on the symmetrical LWE scheme on the same scale is 2 161.834 .

| Comparison on the CPA classic security strength (without compression)
Combine the content of Sections 4 and 5.1-5.3, the CPA classic security strength of Aigis-Enc is 160.895, the CPA classic security strength of the symmetrical LWE scheme is 161.834.

F I G U R E 2
The classic complexity of the optimal dual attack on Aigis and the symmetrical LWE scheme on the same scale. LWE, learning with errors