Exploring Trade-offs in Batch Bounded Distance Decoding

  • Martin R. Albrecht
  • Benjamin R. CurtisEmail author
  • Thomas Wunderer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11959)


Algorithms for solving the Bounded Distance Decoding problem (BDD) are used for estimating the security of lattice-based cryptographic primitives, since these algorithms can be employed to solve variants of the Learning with Errors problem (LWE). In certain parameter regimes where the target vector is small and/or sparse, batches of BDD instances emerge from a combinatorial approach where several components of the target vector are guessed before decoding. In this work we explore trade-offs in solving “Batch-BDD”, and apply our techniques to the small-secret Learning with Errors problem. We compare our techniques to previous works which solve batches of BDD instances, such as the hybrid lattice-reduction and meet-in-the-middle attack. Our results are a mixed bag. We show that, in the “enumeration setting” and with BKZ reduction, our techniques outperform a variant of the hybrid attack which does not consider time-memory trade-offs in the guessing phase for certain Round5 (17-bits out of 466), Round5-IoT (19-bits out of 240), and NTRU LPrime (23-bits out of 385) parameter sets. On the other hand, our techniques do not outperform the Hybrid Attack under standard, albeit unrealistic, assumptions. Finally, as expected, our techniques do not improve on previous works in the “sieving setting” (under standard assumptions) where combinatorial attacks in general do not perform well.


Bounded distance decoding Cryptanalysis Hybrid attack Lattice-based cryptography LWE NTRU 



The authors thank the anonymous SAC reviewers for their feedback, which has been used to improve this work.


  1. [ACD+18]
    Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). Scholar
  2. [ACPS09]
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). Scholar
  3. [ADH+19]
    Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. Cryptology ePrint Archive, Report 2019/089 (2019). Scholar
  4. [ADPS16]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (ed.) 25th USENIX Security Symposium, USENIX Security 16, pp. 327–343. USENIX Association (2016)Google Scholar
  5. [AGVW17]
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). Scholar
  6. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd ACM STOC, pp. 601–610. ACM Press, July 2001Google Scholar
  7. [Alb17]
    Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). Scholar
  8. [APS15]
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  9. [BAA+17]
    Bindel, N., et al.: qTESLA. Technical report, National Institute of Standards and Technology (2017).
  10. [Bab86]
    Babai, L.: On lovász lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  11. [BCLv17]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Technical report, National Institute of Standards and Technology (2017).
  12. [BCLv19]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Technical report, National Institute of Standards and Technology (2019).
  13. [BDGL16]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM, January 2016Google Scholar
  14. [BG14]
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). Scholar
  15. [BGL+18]
    Bhattacharya, S., et al.: Round5: compact and fast post-quantum public-key encryption. Cryptology ePrint Archive, Report 2018/725 (2018).
  16. [BGPW16]
    Buchmann, J., Göpfert, F., Player, R., Wunderer, T.: On the hardness of LWE with binary error: revisiting the hybrid lattice-reduction and meet-in-the-middle attack. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 24–43. Springer, Cham (2016). Scholar
  17. [BGV14]
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 13 (2014)MathSciNetzbMATHGoogle Scholar
  18. [BLP+13]
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press, June 2013Google Scholar
  19. [BPR12]
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). Scholar
  20. [Che13]
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Paris 7 (2013)Google Scholar
  21. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). Scholar
  22. [CPL+17]
    Cheon, J.H., et al.: Lizard. Technical report, National Institute of Standards and Technology (2017).
  23. [DLdW16]
    Doulgerakis, E., Laarhoven, T., de Weger, B.: Finding closest lattice vectors using approximate Voronoi cells. Cryptology ePrint Archive, Report 2016/888 (2016).
  24. [dt16]
    The FPLLL development team. FPLLL, a lattice reduction library (2016).
  25. [Duc19]
  26. [DXL12]
    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012).
  27. [FP85]
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–463 (1985)MathSciNetCrossRefGoogle Scholar
  28. [GHS12]
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). Scholar
  29. [GSW13]
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). Scholar
  30. [GvVW17]
    Göpfert, F., van Vredendaal, C., Wunderer, T.: A hybrid lattice basis reduction and quantum search attack on LWE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 184–202. Springer, Cham (2017). Scholar
  31. [GZB+19]
    Garcia-Morchon, O., et al.: Round5. Technical report, National Institute of Standards and Technology (2019).
  32. [Hal18]
    Halevi, S.: HElib (2018).
  33. [How07]
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). Scholar
  34. [HPS96]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a new high speed public key cryptosystem. Draft Distributed at Crypto 1996 (1996).
  35. [HPS+15]
    Hoffstein, J., et al.: Choosing parameters for NTRUEncrypt. Cryptology ePrint Archive, Report 2015/708 (2015).
  36. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC, pp. 193–206. ACM Press, April 1983Google Scholar
  37. [Laa16]
    Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). Scholar
  38. [LDK+17]
    Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2017).
  39. [LN13]
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). Scholar
  40. [LP11]
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). Scholar
  41. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  42. [LS15]
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)MathSciNetCrossRefGoogle Scholar
  43. [Mic01]
    Micciancio, D.: The hardness of the closest vector problem with preprocessing. IEEE Trans. Inf. Theory 47(3), 1212–1215 (2001)MathSciNetCrossRefGoogle Scholar
  44. [Mic18]
    Micciancio, D.: On the hardness of LWE with binary error. Technical report, February 2018.
  45. [MS01]
    May, A., Silverman, J.H.: Dimension reduction methods for convolution modular lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001). Scholar
  46. [PAA+17]
    Poppelmann, T., et al.: NewHope. Technical report, National Institute of Standards and Technology (2017).
  47. [PFH+17]
    Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2017).
  48. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005Google Scholar
  49. [SAB+17]
    Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2017).
  50. [Sch03]
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). Scholar
  51. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction. Improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  52. [SEA18]
    Simple Encrypted Arithmetic Library (release 3.1.0). Microsoft Research, Redmond, WA, December 2018
  53. [SHRS17]
    Schanck, J.M., Hulsing, A., Rijneveld, J., Schwabe, P.: NTRU-HRSS-KEM. Technical report, National Institute of Standards and Technology (2017).
  54. [SPL+17]
    Seo, M., Park, J.H., Lee, D.H., Kim, S., Lee, S.-J.: EMBLEM and R.EMBLEM. Technical report, National Institute of Standards and Technology (2017).
  55. [SSTX09]
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). Scholar
  56. [Wun19]
    Wunderer, T.: A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. J. Math. Cryptol. 13(1), 1–26 (2019)MathSciNetCrossRefGoogle Scholar
  57. [ZCHW17]
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, National Institute of Standards and Technology (2017).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Benjamin R. Curtis
    • 1
    Email author
  • Thomas Wunderer
    • 2
  1. 1.Information Security Group, Royal HollowayUniversity of LondonEghamUK
  2. 2.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany

Personalised recommendations