# LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE

@article{Herold2017LPSO, title={LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE}, author={Gottfried Herold and Alexander May}, journal={IACR Cryptol. ePrint Arch.}, year={2017}, volume={2018}, pages={741} }

We consider Galbraith’s space efficient LWE variant, where the \((m \times n)\)-matrix A is binary. In this binary case, solving a vectorial subset sum problem over the integers allows for decryption. We show how to solve this problem using (Integer) Linear Programming. Our attack requires only a fraction of a second for all instances in a regime for m that cannot be attacked by current lattice algorithms. E.g. we are able to solve 100 instances of Galbraith’s small LWE challenge \((n,m) = (256…

## 10 Citations

Learning Plaintext in Galbraith's LWE Cryptosystem

- Computer ScienceICETE
- 2018

This work reports extensive experimental results on prediction accuracy and success probability as a function of number of bits removed in L, M and H within the output (based on LP relaxation) where the mis-prediction rates are low, medium or high respectively.

LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

The variant of Regev’s learning with errors (LWE) problem in which modular reduction is omitted is analyzed, and it is shown that the problem can be solved efficiently as long as the variance of e is not superpolynomially larger than that of \(\mathbf { a}\).

Parameter selection in lattice-based cryptography

- Computer Science, Mathematics
- 2018

This thesis considers parameter selection in cryptosystems based on LWE, with a focus on security, and discusses the selection of parameters in SEAL, an implementation of the scheme by Fan and Vercauteren.

Low Weight Discrete Logarithms and Subset Sum in 20.65n with Polynomial Memory

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

Two heuristic polynomial memory collision finding algorithms for the low Hamming weight discrete logarithm problem in any abelian group G using a direct adaptation of the Becker-Coron-Joux (BCJ) algorithm and a significantly improves on this adaptation for all possible weights.

A new Hybrid Lattice Attack on Galbraith's Binary LWE Cryptosystem

- Computer ScienceArXiv
- 2019

A lattice-based approach guesses and removes some bits of the solution vector and maps the problem of solving the resulting sub-instance to the Closest Vector Problem in Lattice Theory.

Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes

- Computer ScienceCRYPTO
- 2021

The approach boils down to constructing new families of linear codes with (plausibly) high minimum distance and extremely low encoding time, and it is hoped that initiating this approach to the design of MPC primitives will pave the way to new secure primitives with extremely attractive efficiency features.

Cryptanalysis of Compact-LWE

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

Dongxi Liu recently introduced a new lattice-based encryption scheme (joint work with Li, Kim and Nepal) designed for lightweight IoT applications, based on a variant of standard LWE called Compact-LWE, but is claimed to achieve high security levels in considerably smaller dimensions than usual lattICE-based schemes.

Cryptanalysis of Compact-LWE and Related Lightweight Public Key Encryption

- Computer Science, MathematicsSecur. Commun. Networks
- 2018

This paper studies the so-called Compact-LWE problem and clarifies that under certain parameter settings it can be solved in polynomial time and leads to a practical attack against an instantiated scheme based on Compact- LWE proposed by Liu et al. in 2017.

LWE-based encryption schemes and their applications in privacy-friendly data aggregation

- Computer Science, Mathematics
- 2018

LWE-Based Encryption Schemes and Their Applications in Privacy-Friendly Data Aggregation and their applications in privacy-friendly data Aggregation.

LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith's Binary Matrix LWE

- Computer Science, MathematicsPublic Key Cryptography
- 2017

A method is developed that identifies weak instances for Galbraith’s large LWE challenge, where the \((n,m)=(256, 640)\)-matrix A is binary, under a mild assumption that instances with \(m \le 2n\) can be broken in polynomial time via LP relaxation.

## References

SHOWING 1-10 OF 17 REFERENCES

Provably Weak Instances of Ring-LWE Revisited

- Mathematics, Computer ScienceEUROCRYPT
- 2016

This paper shows how to solve the search version of the ring learning with errors problem RLWE for the same families and error parameters, using only 7 samples with a success rate of 100i¾?% and works for every modulus$$q'$$ q' instead of the q that was used to construct the defining polynomial.

On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack

- Computer Science, MathematicsAFRICACRYPT
- 2016

Concrete hardness estimations are given that can be used to select secure parameters for schemes based on LWE with binary error, by applying the Howgrave-Graham attack on NTRU to this setting.

On Ideal Lattices and Learning with Errors over Rings

- Computer Science, MathematicsJACM
- 2013

The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.

Provably Weak Instances of Ring-LWE

- Computer Science, MathematicsCRYPTO
- 2015

This paper state and examine the Ring-LWE problem for general number rings and demonstrate provably weak instances of the Decision Ring- LWE problem, and constructs an explicit family of number fields for which they have an efficient attack.

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

A new variant of the Blum, Kalai and Wasserman algorithm is introduced, relying on a quantization step that generalizes and fine-tunes modulus switching, which makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption).

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

- Mathematics, Computer ScienceEUROCRYPT
- 2012

A compression technique that reduces the public key size of van Dijk, Gentry, Halevi and Vaikuntanathan's (DGHV) fully homomorphic scheme over the integers from O(λ7) to O( λ5) remains semantically secure, but in the random oracle model.

Space-efficient variants of cryptosystems based on learning with errors

- Computer Science, Mathematics
- 2012

The aim of this paper is to investigate variants of LWE where the coefficients of the public key matrix are not chosen uniformly modulo q but are instead “small”, and to introduce some computational problems that may be interesting targets for cryptanalysis.

Key Homomorphic PRFs and Their Applications

- Mathematics, Computer ScienceCRYPTO
- 2013

This work constructs the first provably secure key homomorphic PRFs in the standard model based on the learning with errors (LWE) problem and gives a constructionbased on the decision linear assumption in groups with an l-linear map.

Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems

- Computer Science, MathematicsCHES
- 2012

This work presents a signature scheme whose security is derived from the hardness of lattice problems and is based on recent theoretical advances in lattice-based cryptography and is highly optimized for practicability and use in embedded systems.

Better Key Sizes (and Attacks) for LWE-Based Encryption

- Computer Science, MathematicsCT-RSA
- 2011

A new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff performs better than the simple distinguishing attack considered in prior analyses.