An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

@article{Kirchner2015AnIB,
  title={An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices},
  author={Paul Kirchner and Pierre-Alain Fouque},
  journal={IACR Cryptol. ePrint Arch.},
  year={2015},
  volume={2015},
  pages={552}
}
In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. [] Key Method We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential…
Coded-BKW with Sieving
TLDR
A new solving algorithm is presented combining important ideas from previous work on improving the BKW algorithm and ideas from sieving in lattices to improve asymptotic performance of the Learning with Errors problem.
The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors
  • Erik Mårtensson
  • Computer Science, Mathematics
    2019 IEEE International Symposium on Information Theory (ISIT)
  • 2019
TLDR
This paper improves coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm with lattice sieving techniques, by using different reduction factors in different steps of the sieving part of the algorithm.
Making the BKW Algorithm Practical for LWE
TLDR
This paper presents new improvements for BKW-style algorithms for solving LWE instances and introduces a new reduction step where the last position is partially reduced in an iteration and the reduction is finished in the next iteration, allowing non-integer step sizes.
On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack
TLDR
Concrete hardness estimations are given that can be used to select secure parameters for schemes based on LWE with binary error, by applying the Howgrave-Graham attack on NTRU to this setting.
On the Sample Complexity of solving LWE using BKW-Style Algorithms
TLDR
This work shows that the Fast Fourier Transform (FFT) distinguisher from Eurocrypt’15 has the same sample complexity as the optimal distinguisher, when making the same number of hypotheses, and introduces an improvement of it called the pruned FFT distinguisher.
On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL
TLDR
Novel variants of the dual-lattice attack against LWE in the presence of an unusually short secret are presented, informed by recent progress in BKW-style algorithms for solving LWE.
On the Asymptotics of Solving the LWE Problem Using Coded-BKW With Sieving
TLDR
A new solving algorithm is presented combining important ideas from previous work on improving the Blum–Kalai–Wasserman (BKW) algorithm and ideas from sieving in lattices to provide asymptotic improvements when a quantum computer is assumed or when the number of samples is limited.
On the Hardness of Module-LWE with Binary Secret
We prove that the Module Learning With Errors (M-LWE) problem with binary secrets and rank d is at least as hard as the standard version of M-LWE with uniform secret and rank k, where the rank
The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors
  • Erik Maartensson
  • Computer Science, Mathematics
    2019 IEEE International Symposium on Information Theory (ISIT)
  • 2019
TLDR
This paper improves coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm with lattice sieving techniques, by using different reduction factors in different steps of the sieving part of the algorithm.
A Practical Post-Quantum Public-Key Cryptosystem Based on \textsf spLWE
TLDR
This paper proposes an efficient instantiation of a PKE scheme based on LWE with a sparse secret, named as SpLWE, and provides a polynomial time reduction from $$\textsf {LWE}$$ with a uniformly chosen secret to $$\ textsf {spLWE]$$.
...
...

References

SHOWING 1-10 OF 57 REFERENCES
Lazy Modulus Switching for the BKW Algorithm on LWE
TLDR
This work presents a variant of the BKW algorithm for binary-LWE and other small secret variants and shows that this variant reduces the complexity for solving binary- LWE and lattice reduction techniques applied to the SIS problem.
On Ideal Lattices and Learning with Errors over Rings
TLDR
The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.
On the complexity of the BKW algorithm on LWE
This work presents a study of the complexity of the Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and
New Algorithms for Learning in Presence of Errors
TLDR
A slight (?) variation of the structured noise model, where upon pressing a button, the authors receive 10 random vectors a1, a2, ... , a10 ∈ GF(2)n, and corresponding bits b1, b2,..., b10, of which at most 3 are noisy, is introduced, and a polynomial-time algorithm to recover the secret vector u is exhibited.
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
TLDR
This work proves the equivalence, up to a small polynomial approximation factor, of the lattice problems uSVP, BDD and GapSVP and the Ajtai-Dwork and the Regev cryptosystems, which were previously only known to be based on the hardness of USVP.
A Generalized Birthday Problem
  • D. Wagner
  • Mathematics, Computer Science
    CRYPTO
  • 2002
TLDR
A k-dimensional generalization of the birthday problem: given k lists of n-bit values, find some way to choose one element from each list so that the resulting k values XOR to zero, and gives an algorithm with subexponential running time when k is unrestricted.
On lattices, learning with errors, random linear codes, and cryptography
  • O. Regev
  • Computer Science, Mathematics
    JACM
  • 2009
TLDR
A (classical) public-key cryptosystem whose security is based on the hardness of the learning problem, which is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem that is quantum.
Solving LPN Using Covering Codes
TLDR
The algorithm has a similar form as some previous methods, but includes a new key step that makes use of approximations of random words to a nearest codeword in a linear code, and outperforms previous methods for many parameter choices.
Efficient Fully Homomorphic Encryption from (Standard) LWE
TLDR
A new dimension-modulus reduction technique is introduced, which shortens the cipher texts and reduces the decryption complexity of the scheme, showing that ``somewhat homomorphic'' encryption can be based on LWE, using a new re-linearization technique.
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions
TLDR
It is shown that, for a wide range of parameters, m LWE samples can be proved indistinguishable from random just under the hypothesis that search LWE is a one-way function for the same number m of samples.
...
...