Advertisement

Estimated Cost for Solving Generalized Learning with Errors Problem via Embedding Techniques

  • Weiyao Wang
  • Yuntao Wang
  • Atsushi Takayasu
  • Tsuyoshi Takagi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11049)

Abstract

Estimating for the computational cost of solving learning with errors (LWE) problem is an indispensable research topic to the lattice-based cryptography in practice. For this purpose, the embedding approach is usually employed. The technique first constructs a basis matrix by embedding an LWE instance. At this stage, Kannan’s and Bai-Galbraith’s embeddings are believed to be the most efficient approaches for the standard and the binary LWE with secret vectors in \(\mathbb {Z}_q^n\) and \(\{0,1\}^n\), respectively. Indeed, both methods work well with sufficiently many LWE samples. After the embedding phase, solving the unique shortest vector problem (uSVP) in the lattice spanned by the basis matrix results in solving the LWE. Recently, there are several lattice-based schemes whose secret vectors have special distributions, e.g., small elements and/or sparse vectors, have been proposed to realize efficient implementations. In this paper, to capture such settings and more, we study the LWE problem in a general setting. We analyze the LWE problem whose secret vectors are sampled from arbitrary distributions. Furthermore, we also study the problem when the number of samples is restricted. We believe that our work provides more general understanding of the hardness of LWE. Moreover, we propose a half-twisted embedding that contains the existing two embedding methods as special cases. This proposal enables us to analyze the hardness of LWE in a generic manner and sometimes provides improved attacks.

Notes

Acknowledgement

This work was supported by JSPS KAKENHI Grant Number JP17H06571, and JST CREST Grant Number JPMJCR14D6, Japan. The second author is supported by a JSPS fellowship for Young Scientists (JP17J01987).

References

  1. 1.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the STOC 2001, pp. 601–610. ACM (2001)Google Scholar
  2. 2.
    Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: Algebraic algorithms for LWE problems. ACM Commun. Comput. Algebra 49(2), 62 (2015)CrossRefGoogle Scholar
  3. 3.
    Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74(2), 325–354 (2015)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_11CrossRefGoogle Scholar
  5. 5.
    Alkim, E., et al.: Revisiting TESLA in the quantum random oracle model. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 143–162. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_9CrossRefGoogle Scholar
  6. 6.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange–a new hope. In: Proceedings of the USENIX Security 2016, pp. 327–343. USENIX Association (2016)Google Scholar
  7. 7.
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08344-5_21CrossRefGoogle Scholar
  8. 8.
    Bindel, N., Buchmann, J.A., Göpfert, F., Schmidt, M.: Estimation of the hardness of the learning with errors problem with a restricted number of samples. IACR Cryptology ePrint Archive 2017/140 (2017)Google Scholar
  9. 9.
    Bos, J.W., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security 2016, pp. 1006–1018. ACM (2016)Google Scholar
  10. 10.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE Symposium on Security and Privacy 2015, pp. 553–570. IEEE Computer Society (2015)Google Scholar
  11. 11.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé.: Classical hardness of learning with errors. In: STOC 2013, pp. 575–584 (2013)Google Scholar
  12. 12.
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Paris 7 (2013)Google Scholar
  13. 13.
    Cheon, J.H., Kim, D., Lee, J., Song, Y.S.: Lizard: cut off the tail! // practical post-quantum public-key encryption from LWE and LWR. IACR Cryptology ePrint Archive 2016/1126 (2016)Google Scholar
  14. 14.
    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive 2012/688 (2012)Google Scholar
  15. 15.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_3CrossRefGoogle Scholar
  16. 16.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the STOC 2008, pp. 197–206. ACM (2008)Google Scholar
  17. 17.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Laarhoven, T.: Search problems in cryptography: from fingerprinting to lattice sieving. Ph.D. thesis, Eindhoven University of Technology (2015)Google Scholar
  19. 19.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. SODA 2015, 276–294 (2015)MathSciNetzbMATHGoogle Scholar
  21. 21.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_12CrossRefzbMATHGoogle Scholar
  22. 22.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the STOC 2005, pp. 84–93. ACM (2005)Google Scholar
  23. 23.
    Schnorr, C.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Schnorr, C.: Lattice reduction by random sampling and birthday methods. In: Proceedings of the STACS 2003, pp. 145–156. ACM (2003)Google Scholar
  25. 25.
    Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Weiyao Wang
    • 1
  • Yuntao Wang
    • 1
    • 2
  • Atsushi Takayasu
    • 1
    • 3
  • Tsuyoshi Takagi
    • 1
  1. 1.Department of Mathematical InformaticsThe University of TokyoTokyoJapan
  2. 2.Graduate School of MathematicsKyushu UniversityFukuokaJapan
  3. 3.National Institute of Advanced Industrial Science and TechnologyTokyoJapan

Personalised recommendations