Revisiting the Sparsification Technique in Kannan’s Embedding Attack on LWE
The Learning with Errors (LWE) problem is one of the most important computational problems in modern lattice-based cryptography. It can be viewed as a Bounded Distance Decoding (BDD) problem, which can be reduced to the unique Shortest Vector Problem (uSVP). The standard way to reduce BDD to uSVP is via Kannan’s embedding. At ICALP 2016, Bai, Stehlé, and Wen presented an improved theoretical reduction from BDD to uSVP which uses sparsification techniques. So far, the implications of this improved reduction and the use of sparsification to the hardness of LWE have not been studied. In this work, we consider a sparsified embedding attack on LWE which is deduced from the Bai–Stehlé–Wen reduction. In particular, we analyze its performance under the so-called 2016 estimate introduced at USENIX 2016 by Alkim, Ducas, Pöppelmann, and Schwabe and analyzed at ASIACRYPT 2017 by Albrecht, Göpfert, Virdia, and Wunderer. Our results suggest that in general the sparsified embedding attack does not yield a better attack on LWE in practice than Kannan’s embedding. However, for certain parameter sets and scenarios with a reasonable amount of computing clusters, the use of sparsification may be beneficial.
KeywordsLattice-based cryptography Sparsification Cryptanalysis BDD SVP LWE
This work has been supported by JSPS KAKENHI Grant Number JP17J01987 and by the DFG as part of project P1 within the CRC 1119 CROSSING.
- [ADPS16]Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, pp. 327–343. USENIX Association (2016)Google Scholar
- [AWHT16]Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30CrossRefGoogle Scholar
- [BSW16]Bai, S., Stehlé, D., Wen, W.: Improved reduction from the bounded distance decoding problem to the unique shortest vector problem in lattices. In: Chatzigiannakis, I., Mitzenmacher, M., Rabani, Y., Sangiorgi, D. (eds.) ICALP 2016, Volume 55 of LIPIcs, pp. 76:1–76:12. Schloss Dagstuhl, July 2016Google Scholar
- [Che13]Chen, Y.: Réduction de réseau et sécurité concrete du chiffrement completement homomorphe. Ph.D. thesis, ENS-Lyon, France (2013)Google Scholar
- [DRS14]Dadush, D., Regev, O., Stephens-Davidowitz, N.: On the closest vector problem with a distance guarantee. In: IEEE 29th Conference on Computational Complexity, CCC 2014, Vancouver, BC, Canada, June 11–13, 2014, pp. 98–109. IEEE Computer Society (2014)Google Scholar
- [GSW13]Gentry, C., Sahai, A., Waters, B.: homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5CrossRefGoogle Scholar
- [Kho03]Khot, S.: Hardness of approximating the shortest vector problem in high Lp norms. In: 44th FOCS, pp. 290–297. IEEE Computer Society Press, October 2003Google Scholar
- [Kho04]Khot, S.: Hardness of approximating the shortest vector problem in lattices. In: 45th FOCS, pp. 126–135. IEEE Computer Society Press, October 2004Google Scholar
- [LP10]Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. Cryptology ePrint Archive, Report 2010/613 (2010). http://eprint.iacr.org/2010/613
- [SD16]Stephens-Davidowitz, N.: Discrete Gaussian sampling reduces to CVP and SVP. In: Krauthgamer, R. (ed.) 27th SODA, pp. 1748–1764. ACM-SIAM, January 2016Google Scholar
- [Var97]Vardy, A.: Algorithmic complexity in coding theory and the minimum distance problem (invited session). In: 29th ACM STOC, pp. 92–109. ACM Press, May 1997Google Scholar