# An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

@article{Kirchner2015AnIB, title={An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices}, author={Paul Kirchner and Pierre-Alain Fouque}, journal={IACR Cryptol. ePrint Arch.}, year={2015}, volume={2015}, pages={552} }

In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. [... ] Key Method We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential… Expand

## 98 Citations

Coded-BKW with Sieving

- Computer ScienceASIACRYPT
- 2017

A new solving algorithm is presented combining important ideas from previous work on improving the BKW algorithm and ideas from sieving in lattices to improve asymptotic performance of the Learning with Errors problem.

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors

- Computer Science, Mathematics2019 IEEE International Symposium on Information Theory (ISIT)
- 2019

This paper improves coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm with lattice sieving techniques, by using different reduction factors in different steps of the sieving part of the algorithm.

Making the BKW Algorithm Practical for LWE

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This paper presents new improvements for BKW-style algorithms for solving LWE instances and introduces a new reduction step where the last position is partially reduced in an iteration and the reduction is finished in the next iteration, allowing non-integer step sizes.

On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack

- Computer Science, MathematicsAFRICACRYPT
- 2016

Concrete hardness estimations are given that can be used to select secure parameters for schemes based on LWE with binary error, by applying the Howgrave-Graham attack on NTRU to this setting.

On the Sample Complexity of solving LWE using BKW-Style Algorithms

- Computer Science, Mathematics2021 IEEE International Symposium on Information Theory (ISIT)
- 2021

This work shows that the Fast Fourier Transform (FFT) distinguisher from Eurocrypt’15 has the same sample complexity as the optimal distinguisher, when making the same number of hypotheses, and introduces an improvement of it called the pruned FFT distinguisher.

On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL

- Computer Science, MathematicsEUROCRYPT
- 2017

Novel variants of the dual-lattice attack against LWE in the presence of an unusually short secret are presented, informed by recent progress in BKW-style algorithms for solving LWE.

On the Asymptotics of Solving the LWE Problem Using Coded-BKW With Sieving

- Computer ScienceIEEE Transactions on Information Theory
- 2019

A new solving algorithm is presented combining important ideas from previous work on improving the Blum–Kalai–Wasserman (BKW) algorithm and ideas from sieving in lattices to provide asymptotic improvements when a quantum computer is assumed or when the number of samples is limited.

On the Hardness of Module-LWE with Binary Secret

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

We prove that the Module Learning With Errors (M-LWE) problem with binary secrets and rank d is at least as hard as the standard version of M-LWE with uniform secret and rank k, where the rank…

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors

- Computer Science, Mathematics2019 IEEE International Symposium on Information Theory (ISIT)
- 2019

This paper improves coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm with lattice sieving techniques, by using different reduction factors in different steps of the sieving part of the algorithm.

A Practical Post-Quantum Public-Key Cryptosystem Based on \textsf spLWE

- Computer Science, MathematicsICISC
- 2016

This paper proposes an efficient instantiation of a PKE scheme based on LWE with a sparse secret, named as SpLWE, and provides a polynomial time reduction from $$\textsf {LWE}$$ with a uniformly chosen secret to $$\ textsf {spLWE]$$.

## References

SHOWING 1-10 OF 57 REFERENCES

Lazy Modulus Switching for the BKW Algorithm on LWE

- Computer Science, MathematicsPublic Key Cryptography
- 2014

This work presents a variant of the BKW algorithm for binary-LWE and other small secret variants and shows that this variant reduces the complexity for solving binary- LWE and lattice reduction techniques applied to the SIS problem.

On Ideal Lattices and Learning with Errors over Rings

- Computer Science, MathematicsJACM
- 2013

The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.

On the complexity of the BKW algorithm on LWE

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2015

This work presents a study of the complexity of the Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and…

New Algorithms for Learning in Presence of Errors

- Computer Science, MathematicsICALP
- 2011

A slight (?) variation of the structured noise model, where upon pressing a button, the authors receive 10 random vectors a1, a2, ... , a10 ∈ GF(2)n, and corresponding bits b1, b2,..., b10, of which at most 3 are noisy, is introduced, and a polynomial-time algorithm to recover the secret vector u is exhibited.

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

- Computer Science, MathematicsCRYPTO
- 2009

This work proves the equivalence, up to a small polynomial approximation factor, of the lattice problems uSVP, BDD and GapSVP and the Ajtai-Dwork and the Regev cryptosystems, which were previously only known to be based on the hardness of USVP.

A Generalized Birthday Problem

- Mathematics, Computer ScienceCRYPTO
- 2002

A k-dimensional generalization of the birthday problem: given k lists of n-bit values, find some way to choose one element from each list so that the resulting k values XOR to zero, and gives an algorithm with subexponential running time when k is unrestricted.

On lattices, learning with errors, random linear codes, and cryptography

- Computer Science, MathematicsJACM
- 2009

A (classical) public-key cryptosystem whose security is based on the hardness of the learning problem, which is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem that is quantum.

Solving LPN Using Covering Codes

- Computer Science, MathematicsJournal of Cryptology
- 2019

The algorithm has a similar form as some previous methods, but includes a new key step that makes use of approximations of random words to a nearest codeword in a linear code, and outperforms previous methods for many parameter choices.

Efficient Fully Homomorphic Encryption from (Standard) LWE

- Computer Science, Mathematics2011 IEEE 52nd Annual Symposium on Foundations of Computer Science
- 2011

A new dimension-modulus reduction technique is introduced, which shortens the cipher texts and reduces the decryption complexity of the scheme, showing that ``somewhat homomorphic'' encryption can be based on LWE, using a new re-linearization technique.

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions

- Mathematics, Computer ScienceCRYPTO
- 2011

It is shown that, for a wide range of parameters, m LWE samples can be proved indistinguishable from random just under the hypothesis that search LWE is a one-way function for the same number m of samples.