Advertisement

Better Algorithms for LWE and LWR

  • Alexandre DucEmail author
  • Florian Tramèr
  • Serge Vaudenay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)

Abstract

The Learning With Error problem (LWE) is becoming more and more used in cryptography, for instance, in the design of some fully homomorphic encryption schemes. It is thus of primordial importance to find the best algorithms that might solve this problem so that concrete parameters can be proposed. The BKW algorithm was proposed by Blum et al. as an algorithm to solve the Learning Parity with Noise problem (LPN), a subproblem of LWE. This algorithm was then adapted to LWE by Albrecht et al.

In this paper, we improve the algorithm proposed by Albrecht et al. by using multidimensional Fourier transforms. Our algorithm is, to the best of our knowledge, the fastest LWE solving algorithm. Compared to the work of Albrecht et al. we greatly simplify the analysis, getting rid of integrals which were hard to evaluate in the final complexity. We also remove some heuristics on rounded Gaussians. Some of our results on rounded Gaussians might be of independent interest. Moreover, we also analyze algorithms solving LWE with discrete Gaussian noise.

Finally, we apply the same algorithm to the Learning With Rounding problem (LWR) for prime \(q\), a deterministic counterpart to LWE. This problem is getting more and more attention and is used, for instance, to design pseudorandom functions. To the best of our knowledge, our algorithm is the first algorithm applied directly to LWR. Furthermore, the analysis of LWR contains some technical results of independent interest.

Keywords

Discrete Fourier Transform Reduction Phase Homomorphic Encryption Pseudorandom Function Back Substitution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Albrecht, M.R., Cid, C., Faugère, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. In: Designs, Codes and Cryptography, pp. 1–30 (2013)Google Scholar
  2. 2.
    Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy Modulus Switching for the BKW Algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited - new reduction, properties and applications. In: Canetti and Garay [19], pp. 57–74Google Scholar
  4. 4.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  5. 5.
    Arora, S., Ge, R.: New Algorithms for Learning in Presence of Errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  6. 6.
    Arthur Pewsey, Markus Neuhäuser, G.D.R.: Circular statistics in R. Oxford University Press (2013)Google Scholar
  7. 7.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296(1), 625–635 (1993)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom Functions and Lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. LMS Journal of Computation and Mathematics 17, 49–70 (1 2014)Google Scholar
  10. 10.
    Bernstein, D.J., Lange, T.: Never Trust a Bunny. In: Hoepman, J.-H., Verbauwhede, I. (eds.) RFIDSec 2012. LNCS, vol. 7739, pp. 137–148. Springer, Heidelberg (2013) Google Scholar
  11. 11.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Bogos, S., Tramer, F., Vaudenay, S.: On Solving LPN using BKW and Variants. Cryptology ePrint Archive, Report 2015/049 (2015). http://eprint.iacr.org/
  13. 13.
    Boneh, D., Lewi, K., Montgomery, H.W., Raghunathan, A.: Key Homomorphic PRFs and Their Applications. In: Canetti and Garay [19], pp. 410–428Google Scholar
  14. 14.
    Bracewell, R.N., Bracewell, R.: The Fourier transform and its applications, vol. 31999. McGraw-Hill, New York (1986)Google Scholar
  15. 15.
    Brakerski, Z.: Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, June 1–4, 2013. pp. 575–584. ACM (2013)Google Scholar
  17. 17.
    Brakerski, Z., Vaikuntanathan, V.: Efficient Fully Homomorphic Encryption from (Standard) LWE. In: Ostrovsky, R. (ed.) IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, Palm Springs, CA, USA, October 22–25, 2011. pp. 97–106. IEEE (2011)Google Scholar
  18. 18.
    Buhler, J., Shokrollahi, M.A., Stemann, V.: Fast and precise Fourier transforms. IEEE Transactions on Information Theory 46(1), 213–228 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Canetti, R., Garay, J.A. (eds.): Advances in Cryptology - CRYPTO 2013–33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013. Proceedings, Part I, Lecture Notes in Computer Science, vol. 8042. Springer (2013)Google Scholar
  20. 20.
    Chekuri, C., Jansen, K., Rolim, J.D.P., Trevisan, L. (eds.): Approximation, Randomization and Combinatorial Optimization, Algorithms and Techniques, APPROX 2005 and RANDOM 2005, Lecture Notes in Computer Science, vol. 3624. Springer (2005)Google Scholar
  21. 21.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better Lattice Security Estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  22. 22.
    Fossorier, M.P.C., Mihaljević, M.J., Imai, H., Cui, Y., Matsuura, K.: An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocols for RFID Authentication. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 48–62. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  23. 23.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice Enumeration Using Extreme Pruning. In: Gilbert [28], pp. 257–278Google Scholar
  24. 24.
    Gelfand, I.M., Shilov, G.: Generalized functions. Vol. 1. Properties and operations (1964)Google Scholar
  25. 25.
    Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009). http://crypto.stanford.edu/craig
  26. 26.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17–20, 2008. pp. 197–206. ACM (2008)Google Scholar
  27. 27.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In: Canetti and Garay [19], pp. 75–92Google Scholar
  28. 28.
    Gilbert, H. (ed.): Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 - June 3, 2010. Proceedings, Lecture Notes in Computer Science, vol. 6110. Springer (2010)Google Scholar
  29. 29.
    Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Robustness of the Learning with Errors Assumption. In: Yao, A.C. (ed.) Proceedings of the Innovations in Computer Science - ICS 2010, Tsinghua University, Beijing, China, January 5–7, 2010, pp. 230–240. Tsinghua University Press (2010)Google Scholar
  30. 30.
    Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the Shortest and Closest Lattice Vector Problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  31. 31.
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing Blockwise Lattice Algorithms Using Dynamical Systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  32. 32.
    Heyse, S., Kiltz, E., Lyubashevsky, V., Paar, C., Pietrzak, K.: Lapin: An Efficient Authentication Protocol Based on Ring-LPN. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 346–365. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  33. 33.
    Hoeffding, W.: Probability inequalities for sums of bounded random variables. Journal of the American statistical association 58(301), 13–30 (1963)CrossRefzbMATHMathSciNetGoogle Scholar
  34. 34.
    Impagliazzo, R., Zuckerman, D.: How to Recycle Random Bits. In: FOCS. pp. 248–253. IEEE Computer Society (1989)Google Scholar
  35. 35.
    Levieil, É., Fouque, P.-A.: An Improved LPN Algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  36. 36.
    Lindner, R., Peikert, C.: Better Key Sizes (and Attacks) for LWE-Based Encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  37. 37.
    Lyubashevsky, V.: The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem. In: Chekuri et al. [20], pp. 378–389Google Scholar
  38. 38.
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert [28], pp. 1–23Google Scholar
  39. 39.
    Mardia, K., Jupp, P.: Directional Statistics. Wiley, Wiley Series in Probability and Statistics (2009)Google Scholar
  40. 40.
    Nguyen, P.Q.: Lattice Reduction Algorithms: Theory and Practice. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 2–6. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  41. 41.
    Nguyen, P.Q., Stehlé, D.: Low-dimensional lattice basis reduction revisited. ACM Transactions on Algorithms 5(4) (2009)Google Scholar
  42. 42.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. (ed.) Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, pp. 333–342. ACM (2009)Google Scholar
  43. 43.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009)Google Scholar
  44. 44.
    Regev, O.: The learning with errors problem (invited survey). In: IEEE Conference on Computational Complexity. pp. 191–204. IEEE Computer Society (2010)Google Scholar
  45. 45.
    Rudin, W.: Functional analysis. McGraw-Hill Inc, New York (1991)zbMATHGoogle Scholar
  46. 46.
    Eickhoff, J.: Introduction. In: Eickhoff, J. (ed.) Onboard Computers, Onboard Software and Satellite Operations. SAT, vol. 1, pp. 3–6. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  47. 47.
    Strichartz, R.S.: A guide to distribution theory and Fourier transforms. World Scientific (2003)Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Alexandre Duc
    • 1
    Email author
  • Florian Tramèr
    • 1
  • Serge Vaudenay
    • 1
  1. 1.EPFLLausanneSwitzerland

Personalised recommendations