Abstract:Abstract. This work presents a study of the complexity of the Blum-Kalai-Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-based cryptographic schemes from the literature and compare with alternative approaches based on lattice reduction. As a result, we provide new upper bounds… Show more
“…For typical choices of parameters -i.e. q ≈ n c for some small constant c ≥ 1, a = log 2 n and b = n/ log 2 n -the complexity of BKW as analysed in [3] is O 2 cn · n log 2 2 n . For small secrets, a naive modulus switching technique allows reducing this complexity to O 2 n c+ log 2 d log 2 n · n log 2 2 n where 0 < d ≤ 1 is a small constant.…”
Section: Organisation Of the Paper And Main Resultsmentioning
confidence: 99%
“…This algorithm allow us to solve LWE in sub-exponential time as soon as the Gaussian distribution is sufficiently narrow, i.e. α · q < √ n. Recall that the security reduction [20] for LWE requires to consider discrete Gaussian with standard deviation α · q strictly bigger than √ n. However, from a practical point of view, the constants involved in this algorithm are so large that it is much more costly than other approaches for the parameters typically considered in cryptographic applications [2].…”
Section: Algorithms For Solving Lwementioning
confidence: 99%
“…The behaviour of the algorithm is relatively well understood and it was shown to outperform lattice reduction estimates when reducing LWE to SIS (when q is small), thus it provides a solid basis for analysing the concrete hardness of LWE instances [3].…”
Section: Algorithms For Solving Lwementioning
confidence: 99%
“…Following [3], we consider BKW -applied to Decision-LWE -as consisting of two stages: sample reduction and hypothesis testing. In this work, we only modify the first stage.…”
Section: A Modified Bkw Algorithm: Lazy Modulus Switchingmentioning
confidence: 99%
“…We now explain how to produce samples (ã i ,c i ) i≥0 that satisfy condition (2). For simplicity, we assume from now on that p = 2 κ .…”
Section: Sample Reduction For Short Secretsmentioning
Abstract. Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0, 1} * or {−1, 0, 1} * . We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.
“…For typical choices of parameters -i.e. q ≈ n c for some small constant c ≥ 1, a = log 2 n and b = n/ log 2 n -the complexity of BKW as analysed in [3] is O 2 cn · n log 2 2 n . For small secrets, a naive modulus switching technique allows reducing this complexity to O 2 n c+ log 2 d log 2 n · n log 2 2 n where 0 < d ≤ 1 is a small constant.…”
Section: Organisation Of the Paper And Main Resultsmentioning
confidence: 99%
“…This algorithm allow us to solve LWE in sub-exponential time as soon as the Gaussian distribution is sufficiently narrow, i.e. α · q < √ n. Recall that the security reduction [20] for LWE requires to consider discrete Gaussian with standard deviation α · q strictly bigger than √ n. However, from a practical point of view, the constants involved in this algorithm are so large that it is much more costly than other approaches for the parameters typically considered in cryptographic applications [2].…”
Section: Algorithms For Solving Lwementioning
confidence: 99%
“…The behaviour of the algorithm is relatively well understood and it was shown to outperform lattice reduction estimates when reducing LWE to SIS (when q is small), thus it provides a solid basis for analysing the concrete hardness of LWE instances [3].…”
Section: Algorithms For Solving Lwementioning
confidence: 99%
“…Following [3], we consider BKW -applied to Decision-LWE -as consisting of two stages: sample reduction and hypothesis testing. In this work, we only modify the first stage.…”
Section: A Modified Bkw Algorithm: Lazy Modulus Switchingmentioning
confidence: 99%
“…We now explain how to produce samples (ã i ,c i ) i≥0 that satisfy condition (2). For simplicity, we assume from now on that p = 2 κ .…”
Section: Sample Reduction For Short Secretsmentioning
Abstract. Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0, 1} * or {−1, 0, 1} * . We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.