Advertisement

Parallel Implementation of BDD Enumeration for LWE

  • Elena Kirshanova
  • Alexander May
  • Friedrich Wiemer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9696)

Abstract

One of the most attractive problems for post-quantum secure cryptographic schemes is the LWE problem. Beside combinatorial and algebraic attacks, LWE can be solved by a lattice-based Bounded Distance Decoding (BDD) approach. We provide the first parallel implementation of an enumeration-based BDD algorithm that employs the Lindner-Peikert and Linear Length pruning strategies. We ran our algorithm on a large variety of LWE parameters, from which we derive the following interesting results. First, our parallel enumeration achieves almost perfect speed-up, which allows us to provide for the first time practical cryptanalytic results on standard LWE parameters of meaningful size. Second, we conclude that lattice-based attacks perform better than recent advanced BKW-type algorithms even for small noise, while requiring way less samples. Third, we experimentally show weaknesses for a binary matrix LWE proposal of Galbraith.

Keywords

Lwe security Bounded distance decoding Lattices 

Notes

Acknowledgments

We thank Gottfried Herold and the anonymous reviews for their helpful feedback and valuable suggestions. Elena Kirshanova and Friedrich Wiemer were supported by UbiCrypt, the research training group 1817/1 funded by the DFG.

References

  1. 1.
    Regev, O.: On lattices, learning with errors, random linear codes, cryptography. In: STOC 2005, pp. 84–93. ACM (2005)Google Scholar
  2. 2.
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Heidelberg (2014). https://eprint.iacr.org/2013/839 Google Scholar
  3. 3.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for lwe-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://eprint.iacr.org/2010/613 CrossRefGoogle Scholar
  4. 4.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74(2), 325–354 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_2 CrossRefGoogle Scholar
  7. 7.
    Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_3. https://eprint.iacr.org/2015/552 Google Scholar
  8. 8.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptology 9(3), 169–203 (2015). https://eprint.iacr.org/2015/046 MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Kannan, R.: Minkowski’s convex body theorem, integer programming. In: Mathematics of Operations Research 12.3 , pp. 415–440. ISSN: 0364765X, 15265471 (1987)Google Scholar
  11. 11.
    Luzzi, L., Stehlé, D., Ling, C.: Decoding by embedding: correct decoding radius and DMT optimality. IEEE Trans. Inf. Theory 59(5), 2960–2973 (2013)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Galbraith, S. D.: Space-efficient variants of cryptosystems based on learning with errors. https://www.math.auckland.ac.nz/~sgal018/compact-LWE.pdf
  13. 13.
    Shoup, V.: Number theory library 9.6.2 (NTL) for C++. http://www.shoup.net/ntl/
  14. 14.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://www.iacr.org/archive/asiacrypt2011/70730001/70730001.pdf CrossRefGoogle Scholar
  15. 15.
    Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). https://eprint.iacr.org/2013/510 CrossRefGoogle Scholar
  16. 16.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices, new cryptographic constructions. In: Dwork, C. (ed.) STOC 2008, pp. 197–206. ACM (2008)Google Scholar
  17. 17.
    Babai, L.: On Lovász lattice reduction, the nearest lattice point problem. In: Mehlhorn, K. (ed.) STACS 1985. LNCS, vol. 182, pp. 13–20. Springer, Heidelberg (1985)Google Scholar
  18. 18.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://www.iacr.org/archive/eurocrypt2010/66320257/66320257.pdf CrossRefGoogle Scholar
  19. 19.
    Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://eprint.iacr.org/2013/069 CrossRefGoogle Scholar
  20. 20.
    Buchmann, J., Göpfert, F., Player, R., Wunderer, T.: On the hardness of LWE with binary error: revisiting the hybrid lattice-reduction and meet-in-the-middle attack. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 24–43. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-31517-1_2. https://eprint.iacr.org/2016/089 CrossRefGoogle Scholar
  21. 21.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Elena Kirshanova
    • 1
  • Alexander May
    • 1
  • Friedrich Wiemer
    • 1
  1. 1.Horst Görtz Institute for IT-Security, Faculty of MathematicsRuhr University BochumBochumGermany

Personalised recommendations