Skip to main content
SpringerLink
Log in

Making the BKW Algorithm Practical for LWE

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2020 (INDOCRYPT 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12578))

Included in the following conference series:

Abstract

The Learning with Errors (LWE) problem is one of the main mathematical foundations of post-quantum cryptography. One of the main groups of algorithms for solving LWE is the Blum-Kalai-Wasserman (BKW) algorithm. This paper presents new improvements for BKW-style algorithms for solving LWE instances. We target minimum concrete complexity and we introduce a new reduction step where we partially reduce the last position in an iteration and finish the reduction in the next iteration, allowing non-integer step sizes. We also introduce a new procedure in the secret recovery by mapping the problem to binary problems and applying the Fast Walsh Hadamard Transform. The complexity of the resulting algorithm compares favourably to all other previous approaches, including lattice sieving. We additionally show the steps of implementing the approach for large LWE problem instances. The core idea here is to overcome RAM limitations by using large file-based memory.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The point of inverting all position values if \(x_1 < 0\) is to make sure that samples that get reduced when added should be given the same index. For example \((x_1, x_2, \ldots , x_{n_1 + 1})\) and \((- x_1, - x_2, \ldots , - x_{n_1 + 1})\) are mapped to the same category.

  2. 2.

    Depending on what reduces the sample the most.

  3. 3.

    Also here the point of inverting all position values if \(x_{N_{l - 1} + 1} < 0\) is to make sure that samples that get reduced when added should be given the same index. For example \((x_{N_{l - 1} + 1}, x_{N_{l - 1} + 2}, \ldots , x_{N_l + 1})\) and \((- x_{N_{l - 1} + 1}, - x_{N_{l - 1} + 2}, \ldots , - x_{N_l + 1})\) are mapped to the same category.

  4. 4.

    The number of categories is doubled compared with the LF2 setting for LPN. The difference is that we could add and subtract samples for LWE.

  5. 5.

    In this section a category is defined slightly differently from the rest of the paper. A category together with its adjacent category are together what we simply refer to as a category in the rest of the paper.

  6. 6.

    we used rounded Gaussian noise for simplicity of implementation.

References

  1. NIST Post-Quantum Cryptography Standardization. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization. Accessed 24 Sep 2018

  2. TU Darmstadt Learning with Errors Challenge. https://www.latticechallenge.org/lwe_challenge/challenge.php. Accessed 01 May 2020

  3. Albrecht, M., Cid, C., Faugere, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the arora-Ge algorithm against LWE (2012)

    Google Scholar 

  4. Albrecht, M.R., Cid, C., Faugère, J.-C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74(2), 325–354 (2013). https://doi.org/10.1007/s10623-013-9864-x

    Article  MathSciNet  MATH  Google Scholar 

  5. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  6. Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_25

    Chapter  Google Scholar 

  7. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Crypt. 9(3), 169–203 (2015)

    MathSciNet  MATH  Google Scholar 

  8. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35

    Chapter  Google Scholar 

  9. Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34

    Chapter  Google Scholar 

  10. Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_31

    Chapter  Google Scholar 

  11. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. ACM-SIAM, Arlington, VA, USA, 10–12 January 2016

    Google Scholar 

  12. Blum, A., Furst, M., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_24

    Chapter  Google Scholar 

  13. Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: 32nd Annual ACM Symposium on Theory of Computing, pp. 435–440. ACM Press, Portland, OR, USA, 21–23 May 2000

    Google Scholar 

  14. Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_14

    Chapter  Google Scholar 

  15. Delaplace, C., Esser, A., May, A.: Improved low-memory subset sum and LPN algorithms via multiple collisions. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 178–199. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35199-1_9

    Chapter  MATH  Google Scholar 

  16. Duc, A., Tramèr, F., Vaudenay, S.: Better algorithms for LWE and LWR. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 173–202. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_8

    Chapter  Google Scholar 

  17. Esser, A., Heuer, F., Kübler, R., May, A., Sohler, C.: Dissection-BKW. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 638–666. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_22

    Chapter  Google Scholar 

  18. Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_17

    Chapter  Google Scholar 

  19. Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 1–20. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_1

    Chapter  Google Scholar 

  20. Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. J. Cryptol. 33(1), 1–33 (2020)

    Article  MathSciNet  Google Scholar 

  21. Guo, Q., Johansson, T., Mårtensson, E., Stankovski, P.: Coded-BKW with sieving. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 323–346. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_12

    Chapter  Google Scholar 

  22. Guo, Q., Johansson, T., Mårtensson, E., Stankovski Wagner, P.: On the asymptotics of solving the LWE problem using coded-BKW with sieving. IEEE Trans. Inf. Theory 65(8), 5243–5259 (2019)

    Article  MathSciNet  Google Scholar 

  23. Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_2

    Chapter  Google Scholar 

  24. Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. Des. Codes Crypt. 86(1), 55–83 (2017). https://doi.org/10.1007/s10623-016-0326-0

    Article  MathSciNet  MATH  Google Scholar 

  25. Kirchner, P.: Improved generalized birthday attack. Cryptology ePrint Archive, Report 2011/377 (2011). http://eprint.iacr.org/2011/377

  26. Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_3

    Chapter  Google Scholar 

  27. Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_24

    Chapter  Google Scholar 

  28. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE–based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21

    Chapter  Google Scholar 

  29. Lu, Y., Meier, W., Vaudenay, S.: The conditional correlation attack: a practical attack on Bluetooth encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 97–117. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_7

    Chapter  Google Scholar 

  30. Mårtensson, E.: The asymptotic complexity of coded-BKW with sieving using increasing reduction factors. In: 2019 IEEE International Symposium on Information Theory (ISIT), pp. 2579–2583 (2019)

    Google Scholar 

  31. Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1988). https://doi.org/10.1007/BF02252874

    Article  MathSciNet  MATH  Google Scholar 

  32. Mulder, E.D., Hutter, M., Marson, M.E., Pearson, P.: Using bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J. Cryptographic Eng. 4(1), 33–45 (2014)

    Article  Google Scholar 

  33. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, Baltimore, MA, USA, 22–24 May 2005

    Google Scholar 

  34. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Santa Fe, New Mexico, 20–22 November 1994

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by the Swedish Research Council (Grants No. 2015–04528 and 2019–04166), the Norwegian Research Council (Grant No. 247742/070), and the Swedish Foundation for Strategic Research (Grant No. RIT17-0005 and strategic mobility grant No. SM17-0062). This work was also partially supported by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation.

Author information

Authors and Affiliations

  1. Department of Electrical and Information Technology, Lund University, Lund, Sweden

    Qian Guo, Thomas Johansson, Erik Mårtensson & Paul Stankovski Wagner

  2. Selmer Center, Department of Informatics, University of Bergen, Bergen, Norway

    Alessandro Budroni & Qian Guo

Authors
  1. Alessandro Budroni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qian Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Johansson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Erik Mårtensson
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Paul Stankovski Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessandro Budroni .

Editor information

Editors and Affiliations

  1. Inria Paris, Paris, France

    Karthikeyan Bhargavan

  2. University of Klagenfurt, Klagenfurt, Austria

    Elisabeth Oswald

  3. Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Manoj Prabhakaran

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Budroni, A., Guo, Q., Johansson, T., Mårtensson, E., Wagner, P.S. (2020). Making the BKW Algorithm Practical for LWE. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds) Progress in Cryptology – INDOCRYPT 2020. INDOCRYPT 2020. Lecture Notes in Computer Science(), vol 12578. Springer, Cham. https://doi.org/10.1007/978-3-030-65277-7_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65277-7_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65276-0

  • Online ISBN: 978-3-030-65277-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation