Designs, Codes and Cryptography

, Volume 86, Issue 1, pp 55–83 | Cite as

On the asymptotic complexity of solving LWE

  • Gottfried Herold
  • Elena KirshanovaEmail author
  • Alexander May


We provide for the first time an asymptotic comparison of all known algorithms for the search version of the Learning with Errors (LWE) problem. This includes an analysis of several lattice-based approaches as well as the combinatorial BKW algorithm. Our analysis of the lattice-based approaches defines a general framework, in which the algorithms of Babai, Lindner–Peikert and several pruning strategies appear as special cases. We show that within this framework, all lattice algorithms achieve the same asymptotic complexity. For the BKW algorithm, we present a refined analysis for the case of only a polynomial number of samples via amplification, which allows for a fair comparison with lattice-based approaches. Somewhat surprisingly, such a small number of samples does not make the asymptotic complexity significantly inferior, but only affects the constant in the exponent. As the main result we obtain that both, lattice-based techniques and BKW with a polynomial number of samples, achieve running time \(2^{{\mathcal {O}}(n)}\) for n-dimensional LWE, where we make the constant hidden in the big-\({\mathcal {O}}\) notion explicit as a simple and easy to handle function of all LWE-parameters. In the lattice case this function also depends on the time to compute a BKZ lattice basis with block size \(\varTheta (n)\). Thus, from a theoretical perspective our analysis reveals how LWE ’s complexity changes as a function of the LWE-parameters, and from a practical perspective our analysis is a useful tool to choose LWE-parameters resistant to all currently known attacks.


Cryptography Data encryption LWE security Bounded Distance Decoding Lattices BKW 

Mathematics Subject Classification

94A60 68P25 



Funding was provided by Deutschen Forschungsgemeinschaft (DFG) (Grant Nos. GRK 817 Ubicrypt, UbiCrypt (GRK 1817/1)) and FSC: Fast and Sound Cryptography (Grant No. ERC Starting Grant 307952).


  1. 1.
    Aggarwal D., Dadush D., Regev O., Stephens-Davidowitz N.: Solving the shortest vector problem in \(2^{{\rm n}}\) time via discrete gaussian sampling. In: Proceedings of the Forty-Seventh Annual ACM Symposium on Theory of Computing (STOC ’15), pp. 733–742. ACM, New York (2015).Google Scholar
  2. 2.
    Ajtai M., Kumar R., Sivakumar D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of STOC, pp. 601–610 (2001).Google Scholar
  3. 3.
    Albrecht M., Faugére J.-C., Fitzpatrick R., Perret L.: Lazy Modulus Switching for the BKW Algorithm on LWE. Lecture Notes in Computer Science, vol. 8383, pp. 429–445. Springer, Berlin (2014).Google Scholar
  4. 4.
    Albrecht M.R., Player R., Scott S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015).Google Scholar
  5. 5.
    Albrecht M., Cid C., Faugére J.C., Fitzpatrick R., Perret L.: On the complexity of the bkw algorithm on lwe. Des. Codes Cryptogr. 74(2), 325–354 (2013).MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Alkim E., Ducas L., Pöppelmann T., Schwabe P.: Post-quantum key exchange —a new hope. In: Proceedings of the 25th USENIX Security Symposium. USENIX Association (2016).Google Scholar
  7. 7.
    Aono Y., Boyen X., Phong L., Wang L.: Key-private proxy re-encryption under LWE. In: INDOCRYPT 2013, pp. 1–18 (2013).Google Scholar
  8. 8.
    Applebaum B., Cash D., Peikert C., Sahai A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Advances in Cryptology—CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677, pp. 595–618. Springer, Berlin (2009).Google Scholar
  9. 9.
    Arora S., Ge R.: New algorithms for learning in presence of errors. In: Proceedings of the 38th International Colloquim Conference on Automata, Languages and Programming (ICALP’11), pp. 403–415 (2011).Google Scholar
  10. 10.
    Babai L.: On Lovász’ lattice reduction and the nearest lattice point problem (shortened version). In: STACS, pp. 13–20 (1985).Google Scholar
  11. 11.
    Banaszczyk W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(1), 625–635 (1993).MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Becker A., Ducas L., Gama N., Laarhoven T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA (2016).Google Scholar
  13. 13.
    Blum A., Kalai A.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50, 506–519 (2003).MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Bos J., Costello C., Ducas L., Mironov I., Naehrig M., Nikolaenko V., Raghunathan A., Stebila D.: Frodo: Take off the ring! practical, quantum secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pp. 1006–1018, (2016).Google Scholar
  15. 15.
    Brakerski Z., Langlois A., Peikert C., Regev O., Stehlé D.: Classical hardness of learning with errors. In: Proceedings of STOC, pp. 575–584 (2013).Google Scholar
  16. 16.
    Döttling N.: Low noise LPN: KDM secure public key encryption and sample amplification. In: Public-Key Cryptography—PKC 2015—Proceedings of the 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, MD, 30 March–1 April 2015, pp. 604–626 (2015).Google Scholar
  17. 17.
    Duc A., Tramér F., Vaudenay S.: Better algorithms for LWE and LWR. In: EUROCRYPT (2015).Google Scholar
  18. 18.
    Fincke U., Pohst M.: A procedure for determining algebraic integers of given norm. In: Proceedings of EUROCAL. Lecture Notes in Computer Science, vol. 162, pp. 194–202 (1983).Google Scholar
  19. 19.
    Gama N., Nguyen P.Q.: Predicting lattice reduction. In: EUROCRYPT, pp. 31–51 (2008).Google Scholar
  20. 20.
    Gama N., Nguyen P., Regev O.: Lattice enumeration using extreme pruning. In: EUROCRYPT 2010, LNCS, vol. 6110, pp. 257–278. Springer, Berlin (2010).Google Scholar
  21. 21.
    Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC ’08, pp. 197–206 (2008).Google Scholar
  22. 22.
    Goldreich O., Goldwasser S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000).MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Goldreich O., Rubinfeld R., Sudan M.: Learning polynomials with queries: the highly noisy case. In: Proceedings of the 36th Annual Symposium on Foundations of Computer Science, FOCS, pp. 294–303 (1995).Google Scholar
  24. 24.
    Guo Q., Johansson T., Stankovski P.: Coded-BKW: solving LWE using lattice codes. In: Advances in Cryptology—CRYPTO 2015. Lecture Notes in Computer Science, vol. 9215, pp. 23–42. Springer, Berlin (2015).Google Scholar
  25. 25.
    Hanrot G., Stehlé D.: Improved analysis of kannans shortest lattice vector algorithm. In: Advances in Cryptology—CRYPTO 2007, LNCS, vol. 4622, pp. 170–186 (2007).Google Scholar
  26. 26.
    Hanrot G., Pujol X., Stehlé D.: Analyzing Blockwise Lattice Algorithms Using Dynamical Systems, LNCS, vol. 6841, pp. 447–464. Springer, Berlin (2011).Google Scholar
  27. 27.
    Kannan R.: Improved algorithms for integer programming and related lattice problems. In: Proceedings of STOC, pp. 193–206 (1983).Google Scholar
  28. 28.
    Kannan R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12, 415–440 (1987).MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Kirchner P., Fouque P.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Advances in Cryptology—CRYPTO 2015. Lecture Notes in Computer Science, vol. 9215, pp. 43–62. Springer, Berlin (2015)Google Scholar
  30. 30.
    Kirshanova E., May A., Wiemer F.: Parallel Implementation of BDD Enumeration for LWE, pp. 580–591. Springer, Cham (2016).Google Scholar
  31. 31.
    Kleinjung T., Aoki K., Franke J., Lenstra A.K., Thomé E., Bos J.W., Gaudry P., Kruppa A., Montgomery P.L., Osvik D.A., et al. Factorization of a 768-bit rsa modulus. In: Advances in Cryptology—CRYPTO 2010, pp. 333–350. Springer, Berlin (2010).Google Scholar
  32. 32.
    Laarhoven T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: CRYPTO (2015).Google Scholar
  33. 33.
    Lenstra A.K., Verheul E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001).MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Levieil É., Fouque P.-A.: An improved LPN algorithm. In: Security and Cryptography for Networks. Lecture Notes in Computer Science, vol. 4116, pp. 348–359. Springer, Berlin (2006).Google Scholar
  35. 35.
    Lindner R., Peikert C.: Better key sizes (and attacks) for LWE-based encryption. In: CT-RSA’11, pp. 319–339 (2011).Google Scholar
  36. 36.
    Liu M., Nguyen P.Q.: Solving BDD by enumeration: an update. In: CT-RSA, pp. 293–309 (2013).Google Scholar
  37. 37.
    Lyubashevsky V.: The parity problem in the presence of noise, decoding random linear codes, and the subset sum problem. In: RANDOM. Lecture Notes in Computer Science, vol. 3624, pp. 378–389. Springer, Berlin (2005).Google Scholar
  38. 38.
    Lyubashevsky V., Micciancio D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Advances in Cryptology—CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677, pp. 577–594. Springer, Berlin (2009).Google Scholar
  39. 39.
    Micciancio D., Goldwasser S.: Complexity of Lattice Problems: A Cryptographic Perspective. The Kluwer International Series in Engineering and Computer Science. Kluwer Academic, Boston (2002).Google Scholar
  40. 40.
    Micciancio D., Regev O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 372–381 (2004).Google Scholar
  41. 41.
    Micciancio D., Regev O.: Lattice-Based Cryptography. Springer, Berlin (2009).CrossRefzbMATHGoogle Scholar
  42. 42.
    Micciancio D., Voulgaris P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: Proceedings of STOC ’10, pp. 351–358 (2010).Google Scholar
  43. 43.
    Peikert C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of STOC, pp. 333–342 (2009).Google Scholar
  44. 44.
    Peikert C., Micciancio D.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: EUROCRYPT, pp. 700–718 (2012).Google Scholar
  45. 45.
    Rado R.: A theorem on the geometry of numbers. J. Lond. Math. Soc. s1–21(1), 34–47 (1946).MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM Press, New York (2005).Google Scholar
  47. 47.
    Schnorr C.-P.: Lattice reduction by random sampling and birthday methods. In: STACS, pp. 145–156 (2003).Google Scholar
  48. 48.
    Schnorr C.-P., Euchner M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–191 (1993).MathSciNetCrossRefzbMATHGoogle Scholar
  49. 49.
    Yearly report on algorithms and keysizes. D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II (2012).Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.Faculty of Mathematics, Horst Görtz Institute for IT-SecurityRuhr University BochumBochumGermany

Personalised recommendations