Advertisement

Coded-BKW with Sieving

  • Qian GuoEmail author
  • Thomas Johansson
  • Erik Mårtensson
  • Paul Stankovski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10624)

Abstract

The Learning with Errors problem (LWE) has become a central topic in recent cryptographic research. In this paper, we present a new solving algorithm combining important ideas from previous work on improving the BKW algorithm and ideas from sieving in lattices. The new algorithm is analyzed and demonstrates an improved asymptotic performance. For Regev parameters \(q=n^2\) and noise level \(\sigma = n^{1.5}/(\sqrt{2\pi }\log _{2}^{2}n)\), the asymptotic complexity is \(2^{0.895n} \) in the standard setting, improving on the previously best known complexity of roughly \(2^{0.930n} \). Also for concrete parameter instances, improved performance is indicated.

Keywords

LWE BKW Coded-BKW Lattice codes Lattice sieving 

References

  1. 1.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of The Thirty-third Annual ACM Symposium on Theory of Computing, pp. 601–610. ACM (2001)Google Scholar
  2. 2.
    Albrecht, M., Cid, C., Faugere, J.C., Robert, F., Perret, L.: Algebraic algorithms for LWE problems. Cryptology ePrint Archive, report 2014/1018 (2014)Google Scholar
  3. 3.
    Albrecht, M.R., Cid, C., Faugere, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74(2), 325–354 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_25 CrossRefGoogle Scholar
  5. 5.
    Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the efficacy of solving LWE by reduction to unique-SVP. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-12160-4_18 Google Scholar
  6. 6.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_35 CrossRefGoogle Scholar
  8. 8.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22006-7_34 CrossRefGoogle Scholar
  9. 9.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. Society for Industrial and Applied Mathematics (2016)Google Scholar
  10. 10.
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. LMS J. Comput. Math. 17(A), 49–70 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Bernstein, D.J., Lange, T.: Never trust a bunny. In: Hoepman, J.-H., Verbauwhede, I. (eds.) RFIDSec 2012. LNCS, vol. 7739, pp. 137–148. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36140-1_10 CrossRefGoogle Scholar
  12. 12.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Bogos, S., Vaudenay, S.: Optimization of \(\sf LPN\) solving algorithms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 703–728. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_26 CrossRefGoogle Scholar
  14. 14.
    Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical gapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_50 CrossRefGoogle Scholar
  15. 15.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106. IEEE Computer Society (2011)Google Scholar
  16. 16.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_29 CrossRefGoogle Scholar
  17. 17.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1 CrossRefGoogle Scholar
  18. 18.
    Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups, vol. 290. Springer, Heidelberg (2013)zbMATHGoogle Scholar
  19. 19.
    Dubiner, M.: Bucketing coding and information theory for the statistical high-dimensional nearest-neighbor problem. IEEE Trans. Inf. Theory 56(8), 4166–4179 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Duc, A., Tramèr, F., Vaudenay, S.: Better algorithms for LWE and LWR. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 173–202. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_8 Google Scholar
  21. 21.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_5 CrossRefGoogle Scholar
  22. 22.
    Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 1–20. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_1 Google Scholar
  23. 23.
    Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_2 CrossRefGoogle Scholar
  24. 24.
    Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20901-7_10 CrossRefGoogle Scholar
  25. 25.
    Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. IACR Cryptology ePrint Archive 2015, 1222 (2015). http://eprint.iacr.org/2015/1222
  26. 26.
    Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. J. Des. Codes Crypt. 1–29 (2017).  https://doi.org/10.1007/s10623-016-0326-0
  27. 27.
    Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pp. 604–613. ACM (1998)Google Scholar
  28. 28.
    Kirchner, P.: Improved generalized birthday attack. Cryptology ePrint Archive, report 2011/377 (2011). http://eprint.iacr.org/
  29. 29.
    Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_3 CrossRefGoogle Scholar
  30. 30.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_1 CrossRefGoogle Scholar
  31. 31.
    Laarhoven, T., Mosca, M., Van De Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2–3), 375–400 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22174-8_6 CrossRefGoogle Scholar
  33. 33.
    Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006).  https://doi.org/10.1007/11832072_24 CrossRefGoogle Scholar
  34. 34.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19074-2_21 CrossRefGoogle Scholar
  35. 35.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36095-4_19 CrossRefGoogle Scholar
  36. 36.
    May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_9 Google Scholar
  37. 37.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Berlin Heidelberg (2009)CrossRefGoogle Scholar
  38. 38.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proceedings of the Twenty-first Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1468–1480. SIAM (2010)Google Scholar
  39. 39.
    Mulder, E.D., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J. Crypt. Eng. 4(1), 33–45 (2014). http://dx.doi.org/10.1007/s13389-014-0072-z CrossRefGoogle Scholar
  40. 40.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008). http://dx.doi.org/10.1515/JMC.2008.009
  41. 41.
    Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time 2\({}^{\text{2.465n}}\). IACR Cryptology ePrint Archive 2009, 605 (2009). http://eprint.iacr.org/2009/605
  42. 42.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009). http://doi.acm.org/10.1145/1568318.1568324 MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  44. 44.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_19 CrossRefGoogle Scholar
  45. 45.
    Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 1–9. ACM (2011)Google Scholar
  46. 46.
    Zhang, B., Jiao, L., Wang, M.: Faster algorithms for solving LPN. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 168–195. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_7 CrossRefGoogle Scholar
  47. 47.
    Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 29–47. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_2 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Qian Guo
    • 1
    • 2
    Email author
  • Thomas Johansson
    • 1
  • Erik Mårtensson
    • 1
  • Paul Stankovski
    • 1
  1. 1.Department of Electrical and Information TechnologyLund UniversityLundSweden
  2. 2.ICTEAM/ELEN/Crypto GroupUniversité Catholique de LouvainOttignies-Louvain-la-NeuveBelgium

Personalised recommendations