An Experimental Study of the BDD Approach for the Search LWE Problem

  • Rui XuEmail author
  • Sze Ling Yeo
  • Kazuhide Fukushima
  • Tsuyoshi Takagi
  • Hwajung Seo
  • Shinsaku Kiyomoto
  • Matt Henricksen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


The proved hardness of the Learning With Errors (LWE) problem, assuming the worst case intractability of classic lattice problems, has made it a standard building block in the recent design of lattice based cryptosystems. Nonetheless, a thorough understanding of the security of these schemes from the perspective of existing attacks remains an open problem. In this manuscript, we report our implementation of the Bounded Distance Decoding (BDD) approach for solving the search LWE problem. We implement a parallel version of the pruned enumeration method of the BDD strategy proposed by Liu and Nguyen.

In our implementation we use the embarrassingly parallel design so that the power of multi-cores can be fully utilized. We let each thread take a randomized basis and perform independent enumerations to find the solution instead of parallelizing the enumeration algorithm itself. Other optimizations include fine-tuning the BKZ block size, the enumeration bound and the pruning coefficients and the optimal dimension of the LWE problem. Experiments are done using the TU Darmstadt LWE challenge. Finally we compare our implementation with a recent parallel BDD implementation by Kirshanova et al. [18] and show that our implementation is more efficient.


Learning With Errors Lattice based cryptography Security evaluation Bounded Distance Decoding 

Supplementary material


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of 28th Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)Google Scholar
  2. 2.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015)Google Scholar
  3. 3.
    Albrecht, M.R., Cid, C., Faugere, J., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Cryptogr. 74(2), 325–354 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Albrecht, M.R., Cid, C., Faugere, J., Perret, L.: Algebraic algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018 (2014)Google Scholar
  5. 5.
    Albrecht, M.R., Cadé, D., Pujol, X., Stehlé, D.: fplll-4.0, a floating-point LLL implementation.
  6. 6.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22006-7_34 CrossRefGoogle Scholar
  7. 7.
    Aono, Y.: A faster method for computing Gama-Nguyen-Regev’s extreme pruning coefficients (2014). arXiv preprint arXiv:1406.0342
  8. 8.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of 45th Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 575–584. ACM, New York (2013)Google Scholar
  9. 9.
    Buchmann, J., Büscher, N., Göpfert, F., Katzenbeisser, S., Krämer, J., Micciancio, D., Siim, S., van Vredendaal, C., Walter, M.: Computation, creating cryptographic challenges using multi-party: the LWE challenge. In: Proceedings of 3rd ACM International Workshop on ASIA Public-Key Cryptography (AsiaCCS 2016), pp. 11–20 (2016)Google Scholar
  10. 10.
    Bischof, C., Buchmann, J., Dagdelen, Ö., Fitzpatrick, R., Göpfert, F., Mariano, A.: Nearest planes in practice. In: Ors, B., Preneel, B. (eds.) BalkanCryptSec 2014. LNCS, vol. 9024, pp. 203–215. Springer, Cham (2015). doi: 10.1007/978-3-319-21356-9_14 CrossRefGoogle Scholar
  11. 11.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_1 CrossRefGoogle Scholar
  12. 12.
    Detrey, J., Hanrot, G., Pujol, X., Stehlé, D.: Accelerating lattice reduction with FPGAs. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 124–143. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14712-8_8 CrossRefGoogle Scholar
  13. 13.
    Dagdelen, Ö., Schneider, M.: Parallel enumeration of shortest lattice vectors. In: D’Ambra, P., Guarracino, M., Talia, D. (eds.) Euro-Par 2010. LNCS, vol. 6272, pp. 211–222. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15291-7_21 CrossRefGoogle Scholar
  14. 14.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13190-5_13 CrossRefGoogle Scholar
  15. 15.
    Gama, N., Nguyen, P.Q.: Predicting Lattice Reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_3 CrossRefGoogle Scholar
  16. 16.
    Hermans, J., Schneider, M., Buchmann, J., Vercauteren, F., Preneel, B.: Parallel shortest lattice vector enumeration on graphics cards. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 52–68. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12678-9_4 CrossRefGoogle Scholar
  17. 17.
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Kirshanova, E., May, A., Wiemer, F.: Parallel implementation of BDD enumeration for LWE. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 580–591. Springer, Cham (2016). doi: 10.1007/978-3-319-39555-5_31 Google Scholar
  19. 19.
    Kuo, P.-C., Schneider, M., Dagdelen, Ö., Reichelt, J., Buchmann, J., Cheng, C.-M., Yang, B.-Y.: Extreme enumeration on GPU and in clouds. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 176–191. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_12 CrossRefGoogle Scholar
  20. 20.
    Lenstra, A., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36095-4_19 CrossRefGoogle Scholar
  22. 22.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19074-2_21 CrossRefGoogle Scholar
  23. 23.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, p. 147 (2009)Google Scholar
  24. 24.
    Regev, O.: On lattices, learning with errors, random linear codes, cryptography. J. ACM (JACM) 56(6), 34:1–34:40 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). doi: 10.1007/3-540-36494-3_14 CrossRefGoogle Scholar
  26. 26.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Rui Xu
    • 1
    Email author
  • Sze Ling Yeo
    • 2
  • Kazuhide Fukushima
    • 1
  • Tsuyoshi Takagi
    • 3
  • Hwajung Seo
    • 2
  • Shinsaku Kiyomoto
    • 1
  • Matt Henricksen
    • 4
  1. 1.KDDi Research Inc.FujiminoJapan
  2. 2.Institute for Infocomm Research (I2R)SingaporeSingapore
  3. 3.Institute of Mathematics for Industry (IMI)Kyushu UniversityFukuokaJapan
  4. 4.Huawei TechnologiesSingaporeSingapore

Personalised recommendations