Learning with Errors (LWE) is a hard math problem used in post-quantum cryptography. Homomorphic Encryption (HE) schemes rely on the hardness of the LWE problem for their security, and two LWE-based cryptosystems were recently standardized by NIST for digital signatures and key exchange (KEM). Thus, it is critical to continue assessing the security of LWE and specific parameter choices. For example, HE uses small secrets, and the HE community has considered standardizing small sparse secrets to improve efficiency and functionality. However, prior work, SALSA and PICANTE, showed that ML attacks can recover sparse binary secrets. Building on these, we propose VERDE, an improved ML attack that can recover sparse binary, ternary, and small Gaussian secrets. Using improved preprocessing and secret recovery techniques, VERDE can attack LWE with larger dimensions ($n=512$) and smaller moduli ($\log_2 q=12$ for $n=256$), using less time and power. We propose novel architectures for scaling. Finally, we develop a theory that explains the success of ML LWE attacks.

翻译：带错误学习（LWE）是一个用于后量子密码学的困难数学问题。同态加密（HE）方案的安全性依赖于LWE问题的困难性，两种基于LWE的密码系统最近被NIST标准化用于数字签名和密钥交换。因此，持续评估LWE的安全性及具体参数选择至关重要。例如，HE使用小秘密，且HE社区已考虑标准化稀疏小秘密以提高效率与功能。然而，先前的工作SALSA和PICANTE表明，机器学习攻击能够恢复稀疏二元秘密。在此基础上，我们提出VERDE，一种改进的机器学习攻击，能够恢复稀疏二元、三元及小高斯秘密。通过改进预处理与秘密恢复技术，VERDE能以更少的时间和功耗攻击更大维度（$n=512$）和更小模数（$\log_2 q=12$，对应$n=256$）的LWE。我们提出了用于扩展的新型架构。最后，我们发展了一套理论来解释机器学习LWE攻击的成功原因。