Advertisement

A Refined Analysis of the Cost for Solving LWE via uSVP

  • Shi Bai
  • Shaun MillerEmail author
  • Weiqiang Wen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11627)

Abstract

The learning with errors (LWE) problem (STOC’05) introduced by Regev is one of the fundamental problems in lattice-based cryptography. One standard strategy to solve the LWE problem is to reduce it to a unique SVP (\(\mathrm {\textsc {u}SVP}\)) problem via Kannan’s embedding and then apply a lattice reduction to solve the \(\mathrm {\textsc {u}SVP}\) problem. There are two methods for estimating the cost for solving LWE via this strategy: the first method considers the largeness of the gap in the \(\mathrm {\textsc {u}SVP}\) problem (Gama-Nguyen, Eurocrypt’08) and the second method (Alkim et al., USENIX’16) considers the shortness of the projection of the shortest vector to the Gram-Schmidt vectors. These two estimates have been investigated by Albrecht et al. (Asiacrypt’16) who present a sound analysis and show that the lattice reduction experiments fit more consistently with the second estimate. They also observe that in some cases the lattice reduction even behaves better than the second estimate perhaps due to the second intersection of the projected vector with the Gram-Schmidt vectors. In this work, we revisit the work of Alkim et al. and Albrecht et al. We first report further experiments providing more comparisons and suggest that the second estimate leads to a more accurate prediction in practice. We also present empirical evidence confirming the assumptions used in the second estimate. Furthermore, we examine the gaps in \(\mathrm {\textsc {u}SVP}\) derived from the embedded lattice and explain why it is preferable to use \(\mu = 1\) for the embedded lattice. This shows there is a coherent relation between the second estimate and the gaps in \(\mathrm {\textsc {u}SVP}\). Finally, it has been conjectured by Albrecht et al. that the second intersection will not happen for large parameters. We will show that this is indeed the case: there is no second intersection as \(\beta \rightarrow \infty \).

Keywords

Lattice-based cryptography LWE \(\mathrm {\textsc {u}SVP}\) Lattice reduction 

Notes

Acknowledgments

We thank the reviewers for their valuable comments and suggestions. The authors would like to acknowledge the use of the services provided by Research Computing at the Florida Atlantic University.

References

  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM Press, May 1996Google Scholar
  2. 2.
    Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the efficacy of solving LWE by reduction to unique-SVP. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-12160-4_18CrossRefGoogle Scholar
  3. 3.
    Albrecht, M.R., Curtis, B.R., Deo, A., Davidson, A., Player, R., Postlethwaite, E.W., Virdia, F., Wunderer, T.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-98113-0_19CrossRefGoogle Scholar
  4. 4.
    Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_25CrossRefGoogle Scholar
  5. 5.
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_11CrossRefGoogle Scholar
  6. 6.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016: 25th USENIX Security Symposium, pp. 327–343. USENIX Association, August 2016Google Scholar
  8. 8.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_35CrossRefGoogle Scholar
  9. 9.
    Babai, L.: On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04852-9_2CrossRefGoogle Scholar
  11. 11.
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08344-5_21CrossRefGoogle Scholar
  12. 12.
    Bai, S., Galbraith, S.D., Li, L., Sheffield, D.: Improved combinatorial algorithms for the inhomogeneous short integer solution problem. J. Cryptol. 32(1), 35–83 (2019)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Bai, S., Stehlé, D., Wen, W.: Improved reduction from the bounded distance decoding problem to the unique shortest vector problem in lattices. In: Proceedings of ICALP, pp. 76:1–76:12 (2016)Google Scholar
  14. 14.
    Bai, S., Stehlé, D., Wen, W.: Measuring, simulating and exploiting the head concavity phenomenon in BKZ. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 369–404. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03326-2_13CrossRefGoogle Scholar
  15. 15.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_42CrossRefGoogle Scholar
  16. 16.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: 32nd Annual ACM Symposium on Theory of Computing, pp. 435–440. ACM Press, May 2000Google Scholar
  17. 17.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM Press, June 2013Google Scholar
  18. 18.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_29CrossRefGoogle Scholar
  19. 19.
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Université Paris Diderot (2009)Google Scholar
  20. 20.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  21. 21.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_3CrossRefGoogle Scholar
  22. 22.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–471 (1985)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_3CrossRefGoogle Scholar
  24. 24.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  25. 25.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM Press, May 2008Google Scholar
  26. 26.
    Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20901-7_10CrossRefzbMATHGoogle Scholar
  27. 27.
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_25CrossRefGoogle Scholar
  28. 28.
    Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. Des. Codes Cryptogr. 86(1), 55–83 (2018)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th Annual ACM Symposium on Theory of Computing, pp. 193–206. ACM Press, April 1983Google Scholar
  30. 30.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Khot, S.: Hardness of approximating the shortest vector problem in high \(L_{p}\) norms. In: Proceedings of FOCS, pp. 290–297. IEEE Computer Society Press (2003)Google Scholar
  32. 32.
    Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. Cryptology ePrint Archive, Report 2015/552 (2015). http://eprint.iacr.org/2015/552
  33. 33.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19074-2_21CrossRefGoogle Scholar
  34. 34.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36095-4_19CrossRefGoogle Scholar
  35. 35.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_43CrossRefGoogle Scholar
  36. 36.
    Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_34CrossRefGoogle Scholar
  37. 37.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_1CrossRefGoogle Scholar
  38. 38.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Annual Symposium on Foundations of Computer Science, pp. 372–381. IEEE Computer Society Press, October 2004Google Scholar
  39. 39.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 276–294. ACM-SIAM, January 2015Google Scholar
  40. 40.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005Google Scholar
  41. 41.
    Regev, O.: Lattice-based cryptography (invited talk). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 131–141. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_8CrossRefGoogle Scholar
  42. 42.
    Schnorr, C.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  43. 43.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 68–85. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-54458-5_51CrossRefGoogle Scholar
  44. 44.
    Schnorr, C.P.: A more efficient algorithm for lattice basis reduction. In: Kott, L. (ed.) ICALP 1986. LNCS, vol. 226, pp. 359–369. Springer, Heidelberg (1986).  https://doi.org/10.1007/3-540-16761-7_85CrossRefGoogle Scholar
  45. 45.
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36494-3_14CrossRefGoogle Scholar
  46. 46.
    The FPLLL development team. fplll, a lattice reduction library (2019). https://github.com/fplll/fplll
  47. 47.
    The FPYLLL development team. fpylll, a python wrapper for fplll (2019). https://github.com/fplll/fplll
  48. 48.
    Wang, Y., Aono, Y., Takagi, T.: Hardness evaluation for search LWE problem using progressive BKZ simulator. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 101(12), 2162–2170 (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Mathematical SciencesFlorida Atlantic UniversityBoca RatonUSA
  2. 2.Univ Rennes, CNRS, IRISARennesFrance

Personalised recommendations