# LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE

@article{Herold2017LPSO,
title={LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE},
author={Gottfried Herold and Alexander May},
journal={IACR Cryptol. ePrint Arch.},
year={2017},
volume={2018},
pages={741}
}
• Published 28 March 2017
• Computer Science, Mathematics
• IACR Cryptol. ePrint Arch.
We consider Galbraith’s space efficient LWE variant, where the $$(m \times n)$$-matrix A is binary. In this binary case, solving a vectorial subset sum problem over the integers allows for decryption. We show how to solve this problem using (Integer) Linear Programming. Our attack requires only a fraction of a second for all instances in a regime for m that cannot be attacked by current lattice algorithms. E.g. we are able to solve 100 instances of Galbraith’s small LWE challenge $$(n,m) = (256… Learning Plaintext in Galbraith's LWE Cryptosystem • Computer Science ICETE • 2018 This work reports extensive experimental results on prediction accuracy and success probability as a function of number of bits removed in L, M and H within the output (based on LP relaxation) where the mis-prediction rates are low, medium or high respectively. LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS • Mathematics, Computer Science IACR Cryptol. ePrint Arch. • 2018 The variant of Regev’s learning with errors (LWE) problem in which modular reduction is omitted is analyzed, and it is shown that the problem can be solved efficiently as long as the variance of e is not superpolynomially larger than that of \(\mathbf { a}$$.
Parameter selection in lattice-based cryptography
This thesis considers parameter selection in cryptosystems based on LWE, with a focus on security, and discusses the selection of parameters in SEAL, an implementation of the scheme by Fan and Vercauteren.
Low Weight Discrete Logarithms and Subset Sum in 20.65n with Polynomial Memory
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2019
Two heuristic polynomial memory collision finding algorithms for the low Hamming weight discrete logarithm problem in any abelian group G using a direct adaptation of the Becker-Coron-Joux (BCJ) algorithm and a significantly improves on this adaptation for all possible weights.
A new Hybrid Lattice Attack on Galbraith's Binary LWE Cryptosystem
• Computer Science
ArXiv
• 2019
A lattice-based approach guesses and removes some bits of the solution vector and maps the problem of solving the resulting sub-instance to the Closest Vector Problem in Lattice Theory.
Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes
• Computer Science
CRYPTO
• 2021
The approach boils down to constructing new families of linear codes with (plausibly) high minimum distance and extremely low encoding time, and it is hoped that initiating this approach to the design of MPC primitives will pave the way to new secure primitives with extremely attractive efficiency features.
Cryptanalysis of Compact-LWE
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2017
Dongxi Liu recently introduced a new lattice-based encryption scheme (joint work with Li, Kim and Nepal) designed for lightweight IoT applications, based on a variant of standard LWE called Compact-LWE, but is claimed to achieve high security levels in considerably smaller dimensions than usual lattICE-based schemes.
Cryptanalysis of Compact-LWE and Related Lightweight Public Key Encryption
• Computer Science, Mathematics
Secur. Commun. Networks
• 2018
This paper studies the so-called Compact-LWE problem and clarifies that under certain parameter settings it can be solved in polynomial time and leads to a practical attack against an instantiated scheme based on Compact- LWE proposed by Liu et al. in 2017.
LWE-based encryption schemes and their applications in privacy-friendly data aggregation
LWE-Based Encryption Schemes and Their Applications in Privacy-Friendly Data Aggregation and their applications in privacy-friendly data Aggregation.
LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE
• Computer Science, Mathematics
Public Key Cryptography
• 2017
A method is developed that identifies weak instances for Galbraith’s large LWE challenge, where the $$(n,m)=(256, 640)$$-matrix A is binary, under a mild assumption that instances with $$m \le 2n$$ can be broken in polynomial time via LP relaxation.

## References

SHOWING 1-10 OF 17 REFERENCES
Provably Weak Instances of Ring-LWE Revisited
• Mathematics, Computer Science
EUROCRYPT
• 2016
This paper shows how to solve the search version of the ring learning with errors problem RLWE for the same families and error parameters, using only 7 samples with a success rate of 100i¾?% and works for every modulus$$q'$$ q' instead of the q that was used to construct the defining polynomial.
On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack
• Computer Science, Mathematics
AFRICACRYPT
• 2016
Concrete hardness estimations are given that can be used to select secure parameters for schemes based on LWE with binary error, by applying the Howgrave-Graham attack on NTRU to this setting.
On Ideal Lattices and Learning with Errors over Rings
• Computer Science, Mathematics
JACM
• 2013
The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.
Provably Weak Instances of Ring-LWE
• Computer Science, Mathematics
CRYPTO
• 2015
This paper state and examine the Ring-LWE problem for general number rings and demonstrate provably weak instances of the Decision Ring- LWE problem, and constructs an explicit family of number fields for which they have an efficient attack.
An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2015
A new variant of the Blum, Kalai and Wasserman algorithm is introduced, relying on a quantization step that generalizes and fine-tunes modulus switching, which makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption).
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
• Mathematics, Computer Science
EUROCRYPT
• 2012
A compression technique that reduces the public key size of van Dijk, Gentry, Halevi and Vaikuntanathan's (DGHV) fully homomorphic scheme over the integers from O(λ7) to O( λ5) remains semantically secure, but in the random oracle model.
Space-efficient variants of cryptosystems based on learning with errors
The aim of this paper is to investigate variants of LWE where the coefficients of the public key matrix are not chosen uniformly modulo q but are instead “small”, and to introduce some computational problems that may be interesting targets for cryptanalysis.
Key Homomorphic PRFs and Their Applications
• Mathematics, Computer Science
CRYPTO
• 2013
This work constructs the first provably secure key homomorphic PRFs in the standard model based on the learning with errors (LWE) problem and gives a constructionbased on the decision linear assumption in groups with an l-linear map.
Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems
• Computer Science, Mathematics
CHES
• 2012
This work presents a signature scheme whose security is derived from the hardness of lattice problems and is based on recent theoretical advances in lattice-based cryptography and is highly optimized for practicability and use in embedded systems.
Better Key Sizes (and Attacks) for LWE-Based Encryption
• Computer Science, Mathematics
CT-RSA
• 2011
A new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff performs better than the simple distinguishing attack considered in prior analyses.