Simple Analysis of Key Recovery Attack Against LWE

  • Masaya YasudaEmail author
Part of the Mathematics for Industry book series (MFI, volume 29)


Recently, the learning with errors (LWE) problem has become a central building block to construct modern schemes in lattice-based cryptography. The security of such schemes relies on the hardness of the LWE problem. In particular, LWE-based cryptography has been paid attention as a candidate of post-quantum cryptography. In 2015, Laine and Lauter analyzed a key recovery attack against the search variant of the LWE problem. Their analysis is based on a generalization of the Boneh–Venkatesan method for the hidden number problem to the LWE problem. They adopted the LLL algorithm and Babai’s nearest plane method in the attack, and they also demonstrated a successful range of the attack by experiments for hundreds of LWE instances. In this paper, we give a simple analysis of the attack. While Laine and Lauter’s analysis gives explicit information about the effective approximation factor in the LLL algorithm and Babai’s nearest plane method, our analysis is useful to estimate which LWE instances can be solved by the key recovery attack.


Lattices Lattice basis reduction Learning with errors (LWE) 



A part of this work was also supported by JSPS KAKENHI Grant Number 16H02830. The author thanks Momonari Kudo, Yang Guo, and Junpei Yamaguchi for their collecting experimental data.


  1. 1.
    M.A. Albrecht, C. Cid, J.-C. Faugère, R. Fitzpartrick, L. Perret, On the complexity of the BKW algorithm on LWE. Des. Codes Cryptogr. 74, 325–354 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    M.A. Albrecht, C. Cid, J.-C. Faugère, L. Perret, Algebraic algorithms for LWE, IACR ePrint 2014/1018Google Scholar
  3. 3.
    Y. Aono, Y. Wang, T. Hayashi, T. Takagi, Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator, in Advances in Cryptology-EUROCRYPT 2016, vol. 9665 (Springer LNCS, 2016), pp. 789–819Google Scholar
  4. 4.
    S. Arora, R. Ge, New algorithms for learning in presence of errors, in Automata, Languages and Programming vol. 6755 (Springer LNCS, 2011), pp. 403–415Google Scholar
  5. 5.
    M.R. Albrecht, R. Player, S. Scott, On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    L. Babai, On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    D. Boneh, R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, in Advances in Cryptology-CRYPTO 1996, vol. 1109 (Springer LNCS, 1996), pp. 129–142Google Scholar
  9. 9.
    Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in Innovations in Theoretical Computer Science–ITCS 2012 (ACM, 2012), pp. 309–325Google Scholar
  10. 10.
    Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D. Stehlé, Classical hardness of learning with errors, in Theory of Computing–STOC 2013 (ACM, 2013), pp. 575–584Google Scholar
  11. 11.
    Z. Brakerski, V. Vaikuntanathan, Fully homomorphic encryption from ring-LWE and security for key dependent messages, in Advances in Cryptology-CRYPTO 2011, vol. 6841 (Springer LNCS, 2011), pp. 505–524Google Scholar
  12. 12.
    Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in Foundations of Computer Science–FOCS 2011 (IEEE, 2011), pp. 97–106Google Scholar
  13. 13.
    M.R. Bremner, Lattice Basis Reduction: An Introduction to the LLL Algorithm and its Applications (CRC Press, Boca Raton, 2011)Google Scholar
  14. 14.
    J. Buchmann et al., Creating cryptographic challenges using muti-party computation: the LWE challenge, in AsiaPKC 2016 (ACM, 2016), pp. 11–20Google Scholar
  15. 15.
    Y. Chen, P.Q. Nguyen, BKZ 2.0: Better lattice security estimates, in Advances in Cryptology–ASIACRYPT 2011, vol. 7073 (Springer LNCS, 2011), pp. 1–20Google Scholar
  16. 16.
    S.D. Galbraith, Mathematics of Public Key Cryptography (Cambridge University Press, Cambridge, 2012)CrossRefzbMATHGoogle Scholar
  17. 17.
    N. Gama, P.Q. Nguyen, Predicting lattice reduction, in Advances in Cryptology-EUROCRYPT 2008, vol. 4965 (Springer LNCS, 2008), pp. 31–51Google Scholar
  18. 18.
    C. Gentry, S. Gorbunov, S. Halevi, Graph-induced multilinear maps from lattices, in Theory of Cryptography-TCC 2015, vol. 9015 (Springer LNCS, 2015) pp. 498–527Google Scholar
  19. 19.
    R. Kannan, Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    M.J. Kearns, Y. Mansour, D. Ron, R. Rubinfeld, R.E. Schapire, L. Sellie, On the learnability of discrete distributions, in Theory of Computing–STOC 1994 (ACM, 1994) pp. 273–282Google Scholar
  21. 21.
    M. Kudo, J. Yamaguchi, Y. Guo, M. Yasuda, Practical analysis of key recovery attack against search-LWE problem, in International Workshop on Security-IWSEC 2016, vol. 9836 (Springer LNCS, 2016), pp. 164–181Google Scholar
  22. 22.
    K. Laine, K. Lauter, Key recovery for LWE in polynomial time, IACR ePrint 2015/176, (2015)Google Scholar
  23. 23.
    A.K. Lenstra, H.W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    M. Liu, P.Q. Nguyen, Solving BDD by enumeration: a update, in Topics in Cryptology-CT-RSA 2013, vol. 7779 (Springer LNCS, 2013), pp. 293–309Google Scholar
  25. 25.
    R. Lindner, C. Peikert, Better key sizes (and attacks) for LWE-based encryption, in Topics in Cryptology-CT-RSA 2011, vol. 6558 (Springer LNCS, 2011), pp. 319–339Google Scholar
  26. 26.
    D. Miccincio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Advances in Cryptology-EUROCRYPT 2012, vol.7237 (Springer LNCS, 2012), pp. 700–718 (2012)Google Scholar
  27. 27.
    D. Micciancio, O. Regev, Lattice-based cryptography, in Post Quantum Cryptography–PQCrypto 2009 (Springer, 2009), pp. 147–191Google Scholar
  28. 28.
    P.Q. Nguyen, B. Vallée, The LLL Algorithm, Information Security and Cryptography (Springer, Berlin, 2010)Google Scholar
  29. 29.
    National Institute of Standards and Technology (NIST), Report on post-quantum cryptography,
  30. 30.
    The PARI Group, PARI/GP,
  31. 31.
    C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: Extended abstract, in Theory of Computing–STOC 2009 (ACM, 2009), pp. 333–342Google Scholar
  32. 32.
    C. Peikert, Challenges for Ring-LWE,
  33. 33.
    C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput. 40(6), 1803–1844 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in Theory of Computing–STOC 2005 (ACM, 2005), pp. 84–93Google Scholar
  35. 35.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009), Article No. 34Google Scholar
  36. 36.
    The Sage Group, SageMath: Open-Source Mathematical Software System,
  37. 37.
    C.P. Schnorr, Lattice reduction by random sampling and birthday methods, in STACS 2003 (Springer LNCS 2606, 2003) pp. 145–156Google Scholar
  38. 38.
    C.P. Schnorr, M. Euchner, Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Institute of MathematicsKyushu UniversityFukuokaJapan

Personalised recommendations