Skip to main content

On the complexity of the BKW algorithm on LWE


This work presents a study of the complexity of the Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-based cryptographic schemes from the literature and compare with alternative approaches based on lattice reduction. As a result, we provide new upper bounds for the concrete hardness of these LWE-based schemes. Rather surprisingly, it appears that BKW algorithm outperforms known estimates for lattice reduction algorithms starting in dimension \(n \approx 250\) when LWE is reduced to SIS. However, this assumes access to an unbounded number of LWE samples.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2


  1. It is common in the literature on LWE to parameterise discrete Gaussian distributions by \(s = \sigma \sqrt{2\pi }\) instead of \(\sigma \). Since we are mainly interested in the “size” of the noise, we deviate from this standard in this work.

  2. However, a detailed study of the algorithm to the LPN case was provided [14], which in fact heavily inspired this work. The authors of [14] conducted a detailed analysis of the BKW algorithm as applied to LPN, while also giving revised security estimates for some HB-type authentication protocols relying on the hardness of LPN.


  1. Agrawal S., Gentry C., Halevi S., Sahai A.: Discrete Gaussian Leftover Hash Lemma over infinite domains. Cryptology ePrint Archive, Report 2012/714, (2012). Accessed 27 Dec 2012.

  2. Ajtai M., Kumar R., Sivakumar, D.: Sampling short lattice vectors and the closest lattice vector problem. In: IEEE Conference on Computational Complexity, pp. 53–57 (2002).

  3. Albrecht M.R.: (2012). Accessed 30 June 2013.

  4. Albrecht M.R., Farshim P., Faugère J-.C., Perret L.: Polly Cracker, revisited. In: Advances in Cryptology—ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 179–196. Springer, Berlin. Cryptology ePrint Archive, Report 2011/289, (2011). Accessed 19 Nov 2012.

  5. Albrecht M., Cid C., Faugère J-.C., Fitzpatrick R., Perret L.: On the complexity of the Arora–Ge algorithm against LWE. In: Faugère J-.C., Gomez D., Gutierrez J., Perret L. (eds.) SCC ’12: Proceedings of the 3nd International Conference on Symbolic Computation and Cryptography, pp. 93–99. Castro-Urdiales, July (2012).

  6. Albrecht M.R., Fitzpatrick R., Cabracas D., Göpfert F., Schneider M.: A generator for LWE and Ring-LWE instances. (2013). Accessed 29 Apr 2013.

  7. Arora S.. Ge R.: New algorithms for learning in presence of errors. In: Aceto L., Henzinger M., Sgall J. (eds.) ICALP. Lecture Notes in Computer Science, vol. 6755, pp. 403–415. Springer, Berlin (2011).

  8. Baigneres T., Junod P., Vaudenay S.: How far can we go beyond linear cryptanalysis? In: Lee P.J. (ed.) Advances in Cryptology—ASIACRYPT 2004. Lecture Notes in Computer Science, vol. 3329, pp. 432–450, Springer, Berlin (2004).

  9. Blum A., Kalai A., Wasserman H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM. 50(4), 506–519 (2003).

    Google Scholar 

  10. Brakerski Z., Vaikuntanathan V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky R. (ed.) IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE (2011).

  11. Brakerski Z., Langlois A., Peikert C., Regev O., Stehlé D.: Classical hardness of learning with errors. STOC. (2013) (to appear).

  12. Chen Y., Nguyen P.Q.: BKZ 2.0: better lattice security estimates. In: Lee D.H., Wang X. (eds.) Advances in Cryptology—ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 1–20, Springer, Berlin (2011).

  13. Duembgen L.: Bounding standard gaussian tail probabilities. arXiv:1012.2063 (2010).

  14. Fouque P-.A., Levieil É.: An improved LPN algorithm. In: De Prisco R., Yung M. (eds.) Security and Cryptography for Networks, 5th International Conference, SCN 2006. Lecture Notes in Computer Science, vol. 4116, pp. 348–359. Springer, Berlin (2006).

  15. Gama N., Nguyen P.Q., Regev O.: Lattice enumeration using extreme pruning. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 257–278. Springer, Berlin (2010).

  16. Gentry C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University. (2009).

  17. Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 08: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008).

  18. Hanrot G., Pujol X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee Y.M., Guo Z., Ling S., Shao F., Tang Y., Wang H., Xing C. (eds.) IWCC. Lecture Notes in Computer Science, vol. 6639, pp. 159–190. Springer, Berlin (2011).

  19. Hanrot G., Pujol X., Stehlé D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway P. (ed.) Advances in Cryptology—CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 447–464. Springer, Berlin (2011).

  20. Johansson F. et al.: mpmath: a Python library for arbitrary-precision floating-point arithmetic (version 0.17), February 2011. Accessed 30 June 2013.

  21. Lindner R., Peikert C.: Better key sizes (and attacks) for LWE-based encryption. In: Topics in Cryptology—CT-RSA 2011. Lecture Notes in Computer Science, vol. 6558, pp. 319–339, Springer, Berlin (2011).

  22. Liu M., Nguyen P.Q.: Solving BDD by enumeration: An update. In: Dawson E. (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 7779, pp. 293–309. Springer, Berlin (2013).

  23. Lyubashevsky V., Micciancio D., Peikert C., Rosen A.: SWIFFT: A modest proposal for FFT hashing. In: Nyberg K. (ed.) Fast Software Encryption. Lecture Notes in Computer Science, vol. 5086, pp. 54–72. Springer, Berlin (2008).

  24. Micciancio D., Regev O.: Lattice-based cryptography. In: Bernstein D.J., Buchmann J., Dahmen E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009).

  25. Morel I., Stehlé D., Villard G.: H-LLL: using householder inside LLL. In: Johnson J.R., Park H., Kaltofen E. (eds) Symbolic and Algebraic Computation, International Symposium, ISSAC, 2009 pp. 271–278. ACM (2009).

  26. Nguyen P.Q.: Lattice reduction algorithms: theory and practice. In: Paterson K.G. (eds.) Advances in Cryptology—EUROCRYPT 2011. Lecture Notes in Computer Science, vol. 6632, pp. 2–6. Springer, Berlin (2011).

  27. Nguyen P.Q., Stehlé D.: Low-dimensional lattice basis reduction revisited. ACM Trans. Algorithms 5(4) (2009).

  28. Pujol X., Stehlé D.: Solving the shortest lattice vector problem in time \(2^{2.465n}\). IACR Cryptology ePrint Archive 2009:605 (2009).

  29. Regev O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM. 56(6), 84–93 (2009).

    Google Scholar 

  30. Regev O.: The learning with errors problem (invited survey). In: IEEE Conference on Computational Complexity, pp. 191–204. IEEE Computer Society (2010).

  31. Rückert M., Schneider M.: Estimating the security of lattice-based cryptosystems. IACR Cryptology ePrint Archive 2010, 137 (2010).

  32. Stein W.A. et al.: Sage Mathematics Software (Version 5.2). The Sage Development Team, (2012). Accessed 30 June 2013.

Download references


We are grateful to Frederik Johansson for advice on numerical integration. We are also grateful to anonymous referees whose feedback substantially improved this work. The work described in this paper has been partially supported by the Royal Society Grant JP090728 and by the Commission of the European Communities through the ICT program under contract ICT-2007-216676 (ECRYPT-II). Jean-Charles Faugère, and Ludovic Perret are also supported by the Computer Algebra and Cryptography (CAC) project (ANR-09-JCJCJ-0064-01) and the HPAC grant of the French National Research Agency. Carlos Cid is supported in part by the US Army Research Laboratory and the UK Ministry of Defence under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the US Army Research Laboratory, the U.S. Government, the UK Ministry of Defense, or the UK Government. The US and UK Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Robert Fitzpatrick.

Additional information

Communicated by R. Steinwandt.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Albrecht, M.R., Cid, C., Faugère, JC. et al. On the complexity of the BKW algorithm on LWE. Des. Codes Cryptogr. 74, 325–354 (2015).

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • Learning with errors
  • BKW
  • LPN
  • FHE

Mathematics Subject Classification

  • 94A60