On Dual Lattice Attacks Against SmallSecret LWE and Parameter Choices in HElib and SEAL
 29 Citations
 2.7k Downloads
Abstract
We present novel variants of the duallattice attack against LWE in the presence of an unusually short secret. These variants are informed by recent progress in BKWstyle algorithms for solving LWE. Applying them to parameter sets suggested by the homomorphic encryption libraries HElib and SEAL yields revised security estimates. Our techniques scale the exponent of the duallattice attack by a factor of \((2\,L)/(2\,L+1)\) when \(\log q = \varTheta {\left( L \log n\right) }\), when the secret has constant hamming weight \(h\) and where \(L\) is the maximum depth of supported circuits. They also allow to half the dimension of the lattice under consideration at a multiplicative cost of \(2^{h}\) operations. Moreover, our techniques yield revised concrete security estimates. For example, both libraries promise 80 bits of security for LWE instances with \(n=1024\) and \(\log _2 q \approx {47}\), while the techniques described in this work lead to estimated costs of 68 bits (SEAL) and 62 bits (HElib).
Keywords
Parameter Choice Lattice Reduction Homomorphic Encryption Short Vector Homomorphic Encryption Scheme1 Introduction
Learning with Errors (LWE), defined in Definition 1, has proven to be a rich source of cryptographic constructions, from publickey encryption and DiffieHellmanstyle key exchange (cf. [Reg09, Pei09, LPR10, DXL12, BCNS15, ADPS16, BCD+16]) to fully homomorphic encryption (cf. [BV11, BGV12, Bra12, FV12, GSW13, CS15]).
Definition 1
(LWE [Reg09]). Let \(n,\,q\) be positive integers, \(\chi \) be a probability distribution on \( \mathbb {Z} \) and \({\mathbf {s} }\) be a secret vector in \( \mathbb {Z}_q ^n\). We denote by \(L_{{\mathbf {s} },\chi ,{q}}\) the probability distribution on \( \mathbb {Z}_q ^n \times \mathbb {Z}_q \) obtained by choosing \({\mathbf {a} }\in \mathbb {Z}_q ^n\) uniformly at random, choosing \(e \in \mathbb {Z} \) according to \(\chi \) and considering it in \( \mathbb {Z}_q \), and returning \(({\mathbf {a} },c) = ({\mathbf {a} },\langle {\mathbf {a} },{\mathbf {s} }\rangle + e) \in \mathbb {Z}_q ^n \times \mathbb {Z}_q \).
DecisionLWE is the problem of deciding whether pairs \(({\mathbf {a} }, c)\in \mathbb {Z}_q ^n \times \mathbb {Z}_q \) are sampled according to \(L_{{\mathbf {s} },\chi ,{q}} \) or the uniform distribution on \( \mathbb {Z}_q ^n \times \mathbb {Z}_q \).
SearchLWE is the problem of recovering \({\mathbf {s} }\) from \(({\mathbf {a} }, c)=({\mathbf {a} },\langle {\mathbf {a} },{\mathbf {s} }\rangle + e) \in \mathbb {Z}_q ^n \times \mathbb {Z}_q \) sampled according to \(L_{{\mathbf {s} },\chi ,{q}} \).
We may write LWE instances in matrix form \(\left( \mathbf {A},\mathbf {c} \right) \), where rows correspond to samples \(\left( \mathbf {a} _i,c_i\right) \). In many instantiations, \(\chi \) is a discrete Gaussian distribution with standard deviation \(\alpha \,q /\sqrt{2\pi }\). Though, in this work, like in many works on cryptanalysis of LWE, the details of the error distribution do not matter as long as we can bound the size of the error under additions.
The bitsecurity of concrete LWE instances is a prominent area of current cryptographic research, in particular in light of standardisation initiatives for LWEbased schemes and LWEbased (somewhat) homomorphic encryption being proposed for applications such as computation with medical data [KL15]. See [APS15] for a relatively recent survey of known (classical) attacks.
Applications such as [KL15] are enabled by progress in homomorphic encryption in recent years. The two most wellknown homomorphic encryption libraries are HElib and SEAL. HElib [GHS12a, HS14] implements BGV [BGV12]. SEAL v2.0 [LP16] implements FV [Bra12, FV12]. Both schemes fundamentally rely on the security of LWE.
However, results on the expected cost of solving generic LWE instances do not directly translate to LWE instances as used in fully homomorphic encryption (FHE). Firstly, because these instances are typically related to the RingLWE assumption [LPR10, LPR13] instead of plain LWE. Secondly, because these instances are typically smallsecret instances. In particular, they typically sample the secret \({\mathbf {s} }\) from some distribution \(\mathcal {B}_{}^{} \) as defined below. We call such instances \(\mathcal {B}_{}^{} \)secret LWE instances.
Definition 2
 \(\mathcal {B}_{}^{} \)

any distribution on \( \mathbb {Z}_q ^n\) where each component \(\le 1\) in absolute value, i.e. \(\Vert {\mathbf {s} _{\left( {i}\right) }}\Vert \le 1\) for \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{}^{} \).
 \(\mathcal {B}_{}^{+} \)

the distribution on \( \mathbb {Z}_q ^n\) where each component is independently sampled uniformly at random from \(\{0,1\}\).
 \(\mathcal {B}_{}^{} \)

the distribution on \( \mathbb {Z}_q ^n\) where each component is independently sampled uniformly at random from \(\{1,0,1\}\).
 \(\mathcal {B}^{+}_{h}\)

the distribution on \( \mathbb {Z}_q ^n\) where components are sampled independently uniformly at random from \(\{0,1\}\) with the additional guarantee that at most \(h\) components are nonzero.
 \(\mathcal {B}^{}_{h}\)

the distribution on \( \mathbb {Z}_q ^n\) where components are sampled independently uniformly at random from \(\{1,0,1\}\) with the additional guarantee that at most \(h\) components are nonzero.
Remark 1
In [BLP+13], instances with \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{}^{+} \) are referred to as binarysecret; \(\mathcal {B}_{}^{+} \) is used in [FV12]; \(\mathcal {B}_{}^{} \) is used in Microsoft’s SEAL v2.0 library^{1} and [LN14]; \(\mathcal {B}_{64}^{} \) is the default choice in HElib, cf. [GHS12b, Appendix C.1.1] and [HS14].
It is an open question how much easier, if any, \(\mathcal {B}_{}^{}\)secret LWE instances are compared to regular LWE instances. On the one hand, designers of FHE schemes typically ignore this issue [GHS12a, LN14, CS16]. This could be considered as somewhat justified by a reduction from [ACPS09] showing that an LWE instance with an arbitrary secret can be transformed into an instance with a secret following the noise distribution in polynomial time and at the loss of n samples. Hence, such instances are not easier than instances with a uniformly random secret, assuming sufficiently many samples are available. As a consequence, LWE with a secret following the noise distribution is considered to be in normal form. Given that the noise in homomorphic encryption libraries is also typically rather small—SEAL and HElib use standard deviation \(\sigma \approx 3.2\)—the distribution \( \mathcal {B}_{}^{} \) gives rise to LWE instances which could be considered relatively close to normalform LWE instances. However, considering the actual distributions, not just the standard deviations, it is known that LWE with error distribution \(\mathcal {B}_{}^{} \) is insecure once sufficiently many samples are available [AG11, ACFP14, KF15].
On the other hand, the best, known reduction from regular LWE to \(\mathcal {B}_{}^{+}\)secret LWE has an expansion factor of \(\log q\) in the dimension. That is, [BLP+13] gives a reduction from regular LWE in dimension n to LWE with \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{}^{+} \) in dimension \(n \log q\).
In contrast, even for noise with width \(\approx \sqrt{n}\) and \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{}^{} \) the best known lattice attacks suggest an expansion factor of at most \(\log \log n\) [BG14], if at all. Overall, known algorithms do not perform significantly better for \(\mathcal {B}_{}^{}\)secret LWE instances, perhaps reinforcing our confidence in the common approach of simply ignoring the special form of the secret.
One family of algorithms has recently seen considerable progress with regards to \(\mathcal {B}_{}^{}\)secret instances: combinatorial algorithms. Already in [Reg09] it was observed that the BKW algorithm, originally proposed for LPN by Blum, Kalai and Wasserman [BKW00], leads to an algorithm in \(2^{\varTheta (n)}\) time and space for solving LWE. The algorithm proceeds by splitting the components of the vectors \(\mathbf {a} _i\) into blocks of k components. Then, it searches for collisions in the first block in an “elimination table” holding entries for (possibly) all \(q^k\) different values for that block. This table is constructed by sampling fresh \((\mathbf {a} _i, c_i)\) pairs from the LWE oracle. By subtracting vectors with colliding components in the first block, a vector of dimension \(nk\) is recovered, applying the same subtraction to the corresponding \(c_i\) values, produces an error of size \(\sqrt{2}\alpha \,q\). Repeating the process for consecutive blocks reduces the dimension further at the cost of an increase in the noise by a factor \(\sqrt{2}\) at each level. This process either continues until all components of \(\mathbf {a} _i\) are eliminated or when there are so few components left that exhaustive search can solve the remaining lowdimensional LWE instance.
A first detailed study of this algorithm when applied to LWE was provided in [ACF+15]. Subsequently, improved variants were proposed, for small secret LWE instances via “lazy modulus switching” [AFFP14], via the application of an FFT in the last step of the algorithm [DTV15], via varying the block size k [KF15] and via rephrasing the problem as the codingtheoretic problem of quantisation [GJS15]. In particular, the works [KF15, GJS15] improve the exploitation of a small secret to the point where these techniques improve the cost of solving instances where the secret is as big as the error, i.e. arbitrary LWE instances. Yet, combinatorial algorithms do not perform well on FHEstyle LWE instances because of their large dimension n to accommodate the large modulus \(q\).
1.1 Our Contribution/Outline
We first review parameter choices in HElib and SEAL as well as known algorithms for solving LWE and related problems in Sect. 2.
Then, we reconsider the duallattice attack (or “dual attack” in short) which finds short vectors \(\mathbf {y} \) such that \(\mathbf {y} \cdot \mathbf {A} \equiv 0 \bmod q\) using lattice reduction. In particular, we recast this attack as the latticereduction analogue of the BKW algorithm and adapt techniques and lessons learned from BKWstyle algorithms. Applying these techniques to parameter sets suggested for HElib and SEAL, we arrive at revised concrete and asymptotic security estimates.
First, in Sect. 3, we recall (the first stage of) BKW as a recursive dimension reduction algorithm for LWE instances. Each step transforms an LWE instance in dimension n to an instance in dimension \(nk\) at the cost of an increase in the noise by a factor of \(\sqrt{2}\). This smaller instance is then reduced further by applying BKW again or solved using another algorithm for solving LWE; typically some form of exhaustive search once the dimension is small enough. To achieve this dimension reduction, BKW first produces elimination tables and then makes use of these tables to sample possibly many LWE samples in dimension \(nk\) relatively cheaply. We translate this approach to lattice reduction in the low advantage regime: we perform one expensive lattice reduction step followed by many relatively cheap lattice reductions on rerandomised bases. This essentially reduces the overall solving cost by a factor of \(m\), where \(m\) is the number of samples required to distinguish a discrete Gaussian distribution with large standard deviation from uniform modulo \(q\). We note that this approach applies to any LWE instance, i.e. does not rely on an unusually short secret and thus gives cause for a moderate revision of many LWE estimates based on the dualattack in the low advantage regime. It does, however, rely on the heuristic that these cheap lattice reduction steps produce sufficiently short and random vectors. We give evidence that this heuristic holds.
Second, in Sect. 4, we observe that the normal form of the dual attack—finding short vectors \(\mathbf {y} \) such that \(\mathbf {y} \cdot \mathbf {A} \equiv \mathbf {x} \bmod q\) is short—is a natural analogue of “lazy modulus switching” [AFFP14]. Then, to exploit the unusually small secret, we apply lattice scaling as in [BG14]. The scaling factor is somewhat analogous to picking the target modulus in modulus switching resp. picking the (dimension of the) code for quantisation. This technique applies to any \(\mathcal {B}_{}^{}\)secret LWE instance. For \(\mathcal {B}_{h}^{} \)secret instances, it reduces the cost of the dual attack by a factor of \(2\,L/(2\,L+1)\) in the exponent when \(\log q = \varTheta \left( L \log n \right) \) for \(L\) the supported depth of FHE circuits and when \(h\) is a constant.
Third, in Sect. 5, we focus on \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{h}^{\pm } \) and adapt the dual attack to find short vectors which produce zero when multiplied with a subset of the columns of \(\mathbf {A} \). This, as in BKW, produces a smaller, easier LWE instance which is then solved using another algorithm. In BKW, these smaller instances typically have very small dimension (say, 10). Here, we consider instances with dimension of several hundreds. This is enabled by exploiting the sparsity of the secret and by relaxing the conditions on the second step: we recover a solution only with a small probability of success. The basic form of this attack does not rely on the size of the nonzero components (only on the sparsity) and reduces the cost of solving an instance in dimension \(n\) to the cost of solving an instance in dimension \(n/2\) multiplied by \(2^{h}\) where \(h\) is the hamming weight of the secret (other tradeoffs between multiplicative cost increase and dimension reduction are possible and typically optimal). We also give an improved variant when the nonzero components are also small.
Costs of dual attacks on HElib and SEAL. Rows “\(\log _{2} q\)” give bit sizes for the maximal modulus for a given n, for SEAL it is taken from [LN14], for HElib it is chosen such that the expected cost is \(2^{80}\) resp. \(2^{128}\) s according to [GHS12a]. The rows “dual” give the log cost (in operations) of the dual attack according to our latticereduction estimates without taking any of our improvements into account; The row “\(\textsc {Silke} _{\mathrm{small}}\)” gives the log cost of Algorithm 3 with “sparse” set to false; The rows “\(\textsc {Silke} _{\mathrm{sparse}}\)” give the log cost of Algorithm 3 with “sparse” set to true. The “sparse” flag toggles whether the approach described in Sect. 5 is enabled or not in Algorithm 3.
\(n\)  1024  2048  4096  8192  16384 

SEAL 80bit  
\(\log _{2} q\)  47.5  95.4  192.0  392.1  799.6 
dual  83.1  78.2  73.7  71.1  70.6 
\(\textsc {Silke} _{\mathrm{small}}\)  68.1  69.0  68.2  68.4  68.8 
HElib 80bit  
\(\log _{2} q\)  47.0  87.0  167.0  326.0  638.0 
dual  85.2  85.2  85.3  84.6  85.5 
\(\textsc {Silke} _{\mathrm{sparse}}\)  61.3  65.0  67.9  70.2  73.1 
HElib 128bit  
\(\log _{2} q\)  38.0  70.0  134.0  261.0  511.0 
dual  110.7  110.1  109.3  108.8  108.9 
\(\textsc {Silke} _{\mathrm{sparse}}\)  73.2  77.4  81.2  84.0  86.4 
Logarithms of algorithm costs in operations mod \(q\) when applied to example parameters \(n=2048\), \(q \approx 2^{63.4}\), \(\alpha \,\approx 2^{60.4}\) and \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{64}^{} \). The row “base line” gives the log cost of attacks according to our latticereduction estimates without taking any of our improvements into account.
2 Preliminaries
Logarithms are base 2 if not stated otherwise. We write vectors in bold, e.g. \(\mathbf {a} \), and matrices in uppercase bold, e.g. \(\mathbf {A} \). By \({\mathbf {a} _{\left( {i}\right) }}\) we denote the ith component of \({\mathbf {a} }\), i.e. a scalar. In contrast, \({\mathbf {a} }_i\) is the ith element of a list of vectors. We write \(\mathbf {I} _{m} \) for the \(m \times m\) identity matrix over whichever base ring is implied from context. We write \(\mathbf {0} _{m \times n} \) for the \(m \times n\) zero matrix. A lattice is a discrete subgroup of \(\mathbb {R}^n\). It can be represented by a basis \(\mathbf {B} \). We write \(\varLambda (\mathbf {B})\) for the lattice generated by the rows of the matrix \(\mathbf {B} \), i.e. all integerlinear combinations of the rows of \(\mathbf {B} \). We write \(\varLambda _q(\mathbf {B})\) for the qary lattice generated by the rows of the matrix \(\mathbf {B} \) over \( \mathbb {Z} _q\), i.e. the lattice spanned by the rows \(\mathbf {B} \) and multiples of q. We write \(\mathbf {A} _{n:m} \) for the rows \(n,\ldots ,m1\) of \(\mathbf {A} \). If the starting or end point is omitted it is assumed to be 0 or the number of rows respectively, i.e. we follow Python’s slice notation.
2.1 Rolling Example
Throughout, we are going to use Example 1 below to illustrate the behaviour of the techniques described here. See Table 2 for an overview of complexity estimates for solving this set of parameters using the techniques described in this work.
Example 1
The LWE dimension is \(n=2048\), the modulus is \(q \approx 2^{63.4}\), the noise parameter is \(\alpha \,\approx 2^{60.4}\), i.e. we have a standard deviation of \(\sigma \approx 3.2\). We have \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{64}^{} \), i.e. only \(h=64\) components of the secret are \(\pm 1\), all other components are zero. This set of parameters is inspired by parameter choices in HElib and produced by calling the function fhe_params(n=2048,L=2) of the LWE estimator from [APS15].
2.2 Parameter Choices in HElib
HElib [GHS12a, HS14] uses the cost of the dual attack for solving LWE to establish parameters. The dual strategy reduces the problem of distinguishing LWE from uniform to the SIS problem [Ajt96]:
Definition 3
Now, given samples \(\mathbf {A}, \mathbf {c} \) where either \(\mathbf {c} = \mathbf {A} \cdot \mathbf {s} + \mathbf {e} \) or \(\mathbf {c} \) uniform, we can distinguish the two cases by finding a short \(\mathbf {y} \) which solves SIS on \(\mathbf {A} \) and by computing \(\left\langle {\mathbf {y}},{\mathbf {c}}\right\rangle \). On the one hand, if \(\mathbf {c} = \mathbf {A} \cdot \mathbf {s} + \mathbf {e} \), then \(\left\langle {\mathbf {y}},{\mathbf {c}}\right\rangle = \left\langle {\mathbf {y} \cdot \mathbf {A}},{\mathbf {s}}\right\rangle + \left\langle {\mathbf {y}},{\mathbf {e}}\right\rangle \equiv \left\langle {\mathbf {y}},{\mathbf {e}}\right\rangle \pmod {q}\). If \(\mathbf {y} \) is short then \(\left\langle {\mathbf {y}},{\mathbf {e}}\right\rangle \) is also short. On the other hand, if \(\mathbf {c} \) is uniformly random, so is \(\left\langle {\mathbf {y}},{\mathbf {c}}\right\rangle \).
To pick a target norm for \(\mathbf {y} \), HElib picks \(\left\ {\mathbf {y}}\right\ = q\) which allows distinguishing with good probability because \(q\) is not too far from \(q/\sigma \) since \(\sigma \approx 3.2\) and \(q\) is typically rather large. More precisely, we may rely on the following lemma:
Lemma 1
To produce a short enough \(\mathbf {y} \), we may call a latticereduction algorithm. In particular, we may call the BKZ algorithm with block size \(\beta \). After performing BKZ\(\beta \) reduction the first vector in the transformed lattice basis will have norm \(\delta _0^m \cdot {\det (\varLambda )}^{1/m}\) where \(\det (\varLambda )\) is the determinant of the lattice under consideration, m its dimension and the rootHermite factor \(\delta _0\) is a constant based on the block size parameter \(\beta \). Increasing the parameter \(\beta \) leads to a smaller \(\delta _0\) but also leads to an increase in runtime; the runtime grows at least exponential in \(\beta \) (see below).
In our case, the expression above simplifies to \(\left\ {\mathbf {y}}\right\ \approx \delta _0^m \cdot q^{n/m}\) whp, where n is the LWE dimension and m is the number of samples we consider. The minimum of this expression is attained at \(m = \sqrt{\frac{n\,\log q}{\log \delta _0}}\) [MR09].
2.3 LP Model
The [LP11] model for estimating the cost of latticereduction is not correct.
Firstly, it expresses runtime in seconds instead of units of computation. As Moore’s law progresses and more parallelism is introduced, the number of instructions that can be performed in a second increases. Hence, we first must translate Eq. (1) to units of computation. The experiments of Lindner and Peikert were performed on a 2.33 Ghz AMD Opteron machine, so we may assume that about \(2.33 \cdot 10^9\) operations can be performed on such a machine in one second and we scale Eq. (1) accordingly.^{3}
Secondly, the LP model does not fit the implementation of BKZ in NTL. The BKZ algorithm internally calls an oracle for solving the shortest vector problem in smaller dimension. The most practically relevant algorithms for realising this oracle are enumeration without preprocessing (FinckePohst) which costs \(2^{\varTheta (\beta ^2)}\) operations, enumeration with recursive preprocessing (Kannan) which costs \(\beta ^{\varTheta (\beta )}\) and sieving which costs \(2^{\varTheta (\beta )}\). NTL implements enumeration without preprocessing. That is, while it was shown in [Wal15] that BKZ with recursive BKZ preprocessing achieves a runtime of \({\mathrm{poly}(n)} \cdot \beta ^{\varTheta (\beta )}\), NTL does not implement the necessary recursive preprocessing with BKZ in smaller dimensions. Hence, it runs in time \({\mathrm{poly}(n)} \cdot 2^{\varTheta (\beta ^2)}\) for block size \(\beta \).
Thirdly, the LP model assumes a linear relation between \(1/\log (\delta _0)\) and the log of the running time of BKZ, but from the “lattice ruleofthumb” (\(\delta _0 \approx \beta ^{1/(2\beta )}\)) and \(2^{\varTheta (\beta )}\) being the complexity of the best known algorithm for solving the shortest vector problem, we get:
Lemma 2
To illustrate the difference between Lemma 2 and Eq. (1), consider Regev’s original parameters [Reg05] for LWE: \(q \approx n^2\), \(\alpha \,q \approx \sqrt{n}\). Then, solving LWE with the dual attack and advantage \(\epsilon \) requires a log rootHermite factor \(\log \delta _0 ={\log ^2{\left( \alpha {\sqrt{\ln ({1/\varepsilon })/\pi }}^{1} \right) }}/{(4n \log {q})}\) [APS15]. Picking \(\varepsilon \) such that \(\log {\sqrt{\ln (1/\varepsilon )/\pi }} \approx 1\), the log rootHermite factor becomes \(\log \delta _0 = \frac{9\, \log n }{32\,n}\). Plugging this result into Eq. 1, we would estimate that solving LWE for these parameters takes \( \log t_{BKZ}(\delta _0) = \frac{32\, n}{5\, \log n }110\) s, which is subexponential in n.
2.4 Parameter Choices in SEAL 2.0
SEAL v2.0 [LP16] largely leaves parameter choices to the user. However, it provides the ChooserEvaluator::default_parameter_options() function which returns values from [LN14, Table 2].^{4} This table gives a maximum \(\log q\) for 80 bits of security for \(n=1024, 2048, 4096, 8192, 16384\). We reproduce these values for \(\log q\) in Table 1. The default standard deviation is \(\sigma =3.19\).
The values of [LN14, Table 2] are based on enumeration costs and the simulator from [CN11, CN12]. Furthermore, to extrapolate from available enumeration costs from [CN12, LN14] assumes calling the SVP oracle in BKZ grows only exponentially with \(\beta \), i.e. as \(2^{0.64\beta  28}\). Note that this is overly optimistic, as [CN12] calls enumeration with recursive preprocessing to realise the SVP oracle inside BKZ, which has a complexity of \(\beta ^{\varTheta (\beta )}\).
Finally, we note that the SEAL v2.0 manual [LP16] cautions the user against relying on the security provided by the list of default parameters.
2.5 Lattice Reduction
We will estimate the cost of lattice reduction using the following assumptions: BKZ\(\beta \) produces vectors with \(\delta _0 \approx {\left( \frac{\beta }{2 \pi e} {(\pi \beta )}^{\frac{1}{\beta }} \right) }^{\frac{1}{2(\beta 1)}}\) [Che13]. The SVP oracle in BKZ is realised using sieving and sieving in blocksize \(\beta \) costs \(t_\beta = 2^{0.292\,\beta + 12.31}\) clock cycles. Here, \(0.292\,\beta \) follows from [BDGL16], the additive constant \(+ 12.31\) is based on experiments in [Laa15]. BKZ\(\beta \) costs \(c\,n \cdot t_\beta \) clock cycles in dimension n for some small constant \(c\) based on experiments in [Che13]; cf. [Che13, Figure 4.6]. This corresponds roughly to \(2\,c\) tours of BKZ. We pick \(c=8\) based on our experiments with [FPL16].
This estimate is more optimistic than the estimate in [APS15], which does not yet take [BDGL16] into account and bases the number of SVP oracle calls on theoretical convergence results [HPS11] instead of experimental evidence. On the other hand, this estimate is more pessimistic than [BCD+16] which assumes one SVP call to be sufficient in order to protect against future algorithmic developments. While such developments, amortising costs across SVP calls during one BKZ reduction, are plausible, we avoid this assumption here in order not to “oversell” our results. However, we note that our improvements are somewhat oblivious to the underlying latticereduction model used. That is, while the concrete estimates for bitsecurity will vary depending on which estimate is employed, the techniques described here lead to improvements over the plain dual attack regardless of model. For completeness, we give estimated costs in different cost models in Appendix C.
According to the [LP11] estimate, solving Example 1 costs \(2^{157.8}\) s or \(2^{188.9}\) operations using the standard dual attack. The estimates outlined in this section predict a cost of \(2^{124.2}\) operations for the same standard dual attack.
2.6 Related Work
LWE. Besides the dual attack, via BKW or latticereduction, there is also the primal attack, which solves the bounded distance decoding (BDD) problem directly. That is, given \(\left( \mathbf {A},\mathbf {c} \right) \) with \(\mathbf {c} = \mathbf {A} \cdot \mathbf {s} + \mathbf {e} \) or \(\mathbf {c} \leftarrow _{\$}\mathcal {U}\left( { \mathbb {Z}_q ^m}\right) \) find \(\mathbf {s'} \) such that \({\mathbf {w}  \mathbf {c}}\) with \(\mathbf {w} = \mathbf {A} \cdot \mathbf {s'} \) is minimised. For this, we may employ Kannan’s embedding [AFG14] or variants of Babai’s nearest planes after lattice reduction [LP11, LN13]. For Example 1 the cost of the latter approach is \(2^{116.6}\) operations, i.e. about a factor 190 faster than the dual attack.
Arora & Ge proposed an asymptotically efficient algorithm for solving LWE [AG11], which was later improved in [ACFP14]. However, these algorithms involve large constants in the exponent, ruling them out for parameters typically considered in cryptography. We, hence, do not consider them further in this work.
SmallSecret LWE. As mentioned in [GHS12b], we can transform instances with an unusually short secret into instances where the secret follows the error distribution, but n samples have the old, short secret as noise [ACPS09].
Given a random \(m \times n\) matrix \(\mathbf {A} \bmod q\) and an mvector \(\mathbf {c} = \mathbf {A} \cdot \mathbf {s} + \mathbf {e} \bmod q\), let \(\mathbf {A} _0\) denotes the first n rows of \(\mathbf {A} \), \(\mathbf {A} _1\) the next n rows, etc., \(\mathbf {e} _0, \mathbf {e} _1, \ldots \) are the corresponding parts of the error vector and \(\mathbf {c} _0 , \mathbf {c} _1, \ldots \) the corresponding parts of \(\mathbf {c} \). We have \(\mathbf {c} _0 = \mathbf {A} _0 \cdot \mathbf {s} + \mathbf {e} _0\) or \(\mathbf {A} _0^{1} \cdot \mathbf {c} _0 = \mathbf {s} + \mathbf {A} _0^{1} \mathbf {e} _0\). For \(i > 0\) we have \(\mathbf {c} _i = \mathbf {A} _i \cdot \mathbf {s} + \mathbf {e} _i\), which together with the above gives \(\mathbf {A} _i \mathbf {A} _0^{1} \mathbf {c} _0  \mathbf {c} _i = \mathbf {A} _i \mathbf {A} _0^{1} \mathbf {e} _0  \mathbf {e} _i\). The output of the transformation is \(\mathbf {z} = \mathbf {B} \cdot \mathbf {e} _0 + \mathbf {f} \) with \(\mathbf {B} = (\mathbf {A} _0^{1}\mid \mathbf {A} _1 \cdot \mathbf {A} _0^{1}\mid \dots )\) and \(\mathbf {z} = (\mathbf {A} _0^{1} \mathbf {c} _0 \mid \mathbf {A} _1 \mathbf {A} _0^{1} \mathbf {c} _1 \mid \ldots )\) and \(\mathbf {f} = (\mathbf {s} \mathbf {e} _1 \mid \dots )\). For Example 1, this reduces \(\alpha \) from \(2^{60.4}\) to \(\approx 2^{60.8}\) and marginally improves the cost of solving.
Independently and concurrently to this work, a new keyexchange protocol based on sparse secret LWE was proposed in [CKH+16]. A subset of the techniques discussed here are also discussed in [CKH+16], in particular, ignoring components of the secret and using lattice scaling as in [BG14].
Combinatorial. This work combines combinatorial and latticereduction techniques. As such, it has some similarities with the hybrid attack on NTRU [HG07]. This attack was recently adapted to LWE in the \(\mathcal {B}_{}^{}\)secret case in [BGPW16] and its complexity revisited in [Wun16].
Rings. Recently, [ABD16] proposed a subfield latticeattack on the two fully homomorphic encryption schemes YASHE [BLLN13] and LTV [LTV12], showing that NTRU with “overstretched” moduli q is less secure than initially expected. Quickly after, [KF16] pointed out that the presence of subfields is not necessary for attacks to succeed. NTRU can be considered as the homogeneous version of RingLWE, but there is currently no indication that these attacks can be translated to the RingLWE setting. There is currently no known algorithm which solves RingLWE faster than LWE for the parameter choices (ring, error distribution, etc.) typically considered in FHE schemes.
3 Amortising Costs
If the cost of distinguishing LWE from random with probability \(\varepsilon \) is c, the cost of solving is customary estimated as at least \(c/\varepsilon \) [LP11]. More precisely, applying Chernoff bounds, we require about \(1/\varepsilon ^2\) samples to amplify a decision experiment succeeding with advantage \(\varepsilon \) to a constant advantage. Hence, e.g. in [APS15], the dual attack is costed as the cost of running BKZ\(\beta \) to achieve the target \(\delta _0\) multiplied by the number of samples required to distinguish with the target advantage, i.e. \(\approx c/\varepsilon ^{2}\).
In the case of the dual attack, this cost can be reduced by performing rerandomisation on the already reduced basis. If \(\mathbf {L} \) is a basis for the lattice \(\varLambda _q(\mathbf {Y})\), we first compute \(\mathbf {L} '\) as the output of BKZ\(\beta \) reduction where \(\beta \) is chosen to achieve the target \(\delta _0\) required for some given target advantage. Then, in order to produce sufficiently many relatively short vectors \(\mathbf {y} _i \in \varLambda _q(\mathbf {Y})\) we repeatedly multiply \(\mathbf {L} '\) by a fresh random sparse unimodular matrix with small entries to produce \(\mathbf {L} _i'\). As a consequence, \(\mathbf {L} _i'\) remains somewhat short. Finally, we run BKZ\(\beta '\) with \(\beta ' \le \beta \) on \(\mathbf {L} _i'\) and return the smallest nonzero vector as \(\mathbf {y} _i\). See Algorithm 1, where \(\varepsilon _{d}\) is chosen following Lemma 1 (see below for the expectation of \(\left\ {\mathbf {y}}\right\ \)) and \(m\) is chosen following [SL12].
That is, similar to BKW, which in a first step produces elimination tables which allow sampling smaller dimensional LWE samples in \(\mathcal {O}{(n^2)}\) operations, we first produce a relatively good basis \(\mathbf {L} '\) to allow sampling \(\mathbf {y} _i\) relatively efficiently.
Heuristic. We note that, in implementing this strategy, we are losing statistical independence. To maintain statistical independence, we would consider fresh LWE samples and distinguish \(\left\langle {\mathbf {y} _i},{{\mathbf {e} }_i}\right\rangle \) from uniform. However, neither HElib nor SEAL provides the attacker with sufficiently many samples to run the algorithm under these conditions. Instead, we are attempting to distinguish \(\left\langle {\mathbf {y} _i},{{\mathbf {e} }}\right\rangle \) from uniform. Furthermore, since we are performing only light rerandomisation our distribution could be skewed if our \(\mathbf {y} _{i}\) in \(\left\langle {\mathbf {y} _i},{{\mathbf {e} }}\right\rangle \) are not sufficiently random. Just as in BKWstyle algorithms [ACF+15] we assume the values \(\left\langle {\mathbf {y} _i},{{\mathbf {e} }}\right\rangle \) are distributed closely enough to the target distribution to allow us to ignore this issue.
Experimental Verification. We tested the heuristic assumption of Algorithm 1 by rerandomising a BKZ60 reduced basis using Algorithm 4 with \(d=3\) followed by LLL reduction several hundred times. In this experiment, we recovered fresh somewhat short vectors in each call, where somewhat short means with a norm at most twice that of the shortest vector of \(\mathbf {L} '\). We give further experimental evidence in Sect. 6.
Finally, we note that this process shares some similarities with random sampling reduction (RSR) [Sch03], where random linear combinations are LLL reduced to produce short vectors. While, here, we are only performing sparse sums and accept larger norms, the techniques used to analyse RSR might permit reducing our heuristic to a more standard heuristic assumption.
4 Scaled NormalForm
Remark 2
In our estimates for HElib and SEAL, we typically have \(m=n\) and \([\mathbf {I} _{mn}  \mathbf {B} '] \in \mathbb {Z} ^{0 \times n}\).
As a consequence, we arrive at the following lemma, which is attained by combining Eq. (2) with Lemma 1.
Lemma 3
Remark 3
We focus on \(m' = 2\,n\) in Lemma 3 for ease of exposure. For the instances considered in this work, \(m' = 2\,n\) is a good approximation for \(m'\) (see Sect. 6).
For Example 1 we predict at a cost of \(2^{107.4}\) operations mod \(q\) for solving DecisionLWE when applying this strategy. Amortising costs as suggested in Sect. 3 reduces it further to \(2^{{101.0}}\) operations mod \(q\).
5 Sparse Secrets
Recall that BKWstyle algorithms consist of two stages or, indeed, subalgorithms. First, in the reduction stage, combinatorial methods are employed to transform an LWE instance in dimension n into an instance of dimension \(0 \le n' \le n\), typically with increased noise level \(\alpha \). This smaller LWE instance is then, in the solving stage, is solved using some form of exhaustive search over the secret.
The case \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{h}^{\pm } \) permits much larger k by relaxing the conditions we place on solving the kdimensional instance. Instead of solving with probability one, we solve with some probability \(p_k\) and rerun the algorithm in case of failure.
For this, write \(\mathbf {A} \cdot \mathbf {P} = [\mathbf {A} _0 \mid \mathbf {A} _1]\) and \({\mathbf {s} }\cdot \mathbf {P} = [{\mathbf {s} }_0 \mid {\mathbf {s} }_1]\) where \(\mathbf {P} \) is a random permutation matrix. Now, over the choice of \(\mathbf {P} \) there is a good chance that \({\mathbf {s} }_1 = 0\) and hence that \(\mathbf {A} _1 \cdot {\mathbf {s} }_1 \equiv 0 \bmod q\). That is, the right choice of \(\mathbf {P} \) places all nonzero components of \({\mathbf {s} }\) in the \({\mathbf {s} }_0\) part.
Now, assuming \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{h}^{} \), to check if any of those candidates for \({\mathbf {s} }_1\) is correct, we need to compare \(\left( {\begin{array}{c}k\\ j\end{array}}\right) \cdot 2^j\) distributions against the uniform distribution mod q.
 1.
\(m\) calls to BKZ\(\beta \) in dimension \(nk\).
 2.
\(m \cdot \sum _{i=0}^{\ell } \left( {\begin{array}{c}k\\ i\end{array}}\right) \cdot 2^i \cdot i \) additions mod q to evaluate m samples on all possible solutions up to weight \(\ell \).
Asymptotic Behaviour. We arrive at the following simple lemma:
Lemma 4
Let \(0\le h<n\) and \(d > 1\) be constants, \(p_{h,d}\) be some constant depending on \(h\) and \(d\), \(c_{n,\alpha ,q}\) be the cost of solving LWE with parameters \(n, \alpha , q\) with probability \(\ge 1  2^{p_{h,d}^{2}}\) Then, solving LWE in dimension n with \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{h}^{\pm } \) costs \(\mathcal {O}{(c_{nn/d, \alpha , q})}\) operations.
Proof
Observe that \(p_{h,d} = \lim _{n \rightarrow \infty } {\left( {\begin{array}{c}nh\\ n/d\end{array}}\right) }/{\left( {\begin{array}{c}n\\ n/d\end{array}}\right) }\) is a constant for any constant \(0 \le h < n\) and \(d > 1\). Hence, solving \(\mathcal {O}{(1/p_{h,d})} = \mathcal {O}{(1)}\) instances in dimension \(nn/d\) solves the instance in dimension n. \(\square \)
Remark 4
Picking \(d=2\) we get \(\lim _{n \rightarrow \infty } {\left( {\begin{array}{c}nh\\ n/2\end{array}}\right) }/{\left( {\begin{array}{c}n\\ n/2\end{array}}\right) } = 2^{h}\) and an overall costs of \(\mathcal {O}{(2^{h} \cdot c_{n/2,\alpha , q})}\). This improves on exhaustive search, which costs \(\mathcal {O}{(2^{h} \cdot \left( {\begin{array}{c}n\\ h\end{array}}\right) )}\), when \(c_{{n/2,\alpha , q}} \in o\left( \left( {\begin{array}{c}n\\ h\end{array}}\right) \right) \).
6 Combined
 1.
Considering an LWE instance with \(n=100\) and \(q\approx 2^{23}\), \(\alpha = 8/q\) and \(h=20\), we first BKZ50 reduced the basis \(\mathbf {L} \) for \(c=16\). This produced a short vector \(\mathbf {w} \) such that \(\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle  \approx 2^{15.3}\). Then, running LLL 256 times, we produced short vectors such that \( E [{\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle }] = 2^{15.7}\) and standard deviation \(2^{16.6}\).
 2.
Considering an LWE instance with \(n=140\) and \(q\approx 2^{40}\), \(\alpha = 8/q\) and \(h=32\), we first BKZ70 reduced the basis \(\mathbf {L} \) for \(c=1\). This took 64 hours and produced a short vector \(\mathbf {w} \) such that \(\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle  \approx 2^{23.7}\), with \( E [{\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle }] \approx 2^{25.5}\) conditioned on \(\mathbf {w} \). Then, running LLL 140 times (each run taking about 50 s on average), we produced short vectors such that \( E [{\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle }] = 2^{26.0}\) and standard deviation \(2^{26.4}\) for \(\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle \).
 3.
Considering the same LWE instance with \(n=140\) and \(q\approx 2^{40}\), \(\alpha = 8/q\) and \(h=32\), we first BKZ70 reduced the basis \(\mathbf {L} \) for \(c=16\). This took 65 hours and produced a short vector \(\mathbf {w} \) such that \(\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle  \approx 2^{24.7}\) after scaling by \(c\), cf. \( E [{\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle }] \approx 2^{24.8}\). Then, running LLL 140 times (each run taking about 50 s on average), we produced short vectors such that \( E [{\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle }] = 2^{25.5}\) and standard deviation \(2^{25.9}\) for \(\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle \).
 4.
Considering again the same LWE instance with \(n=140\) and \(q\approx 2^{40}\), \(\alpha = 8/q\) and \(h=32\), we first BKZ70 reduced the basis \(\mathbf {L} \) for \(c=1\). This took 30 hours and produced a short vector \(\mathbf {w} \) such that \(\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle  \approx 2^{25.2}\), cf. \( E [{\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle }] \approx 2^{25.6}\). Then, running LLL 1024 times (each run taking about 50 s on average), we produced 1016 short vectors such that \( E [{\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle }] = 2^{25.8}\) and standard deviation \(2^{26.1}\) for \(\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle \).
 5.
Considering an LWE instance with \(n=180\) and \(q\approx 2^{40}\), \(\alpha = 8/q\) and \(h=48\), we first BKZ70 reduced the basis \(\mathbf {L} \) for \(c=8\). This took 198 hours^{8} and produced a short vector \(\mathbf {w} \) such that \(\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle  \approx 2^{26.7}\), cf. \( E [{\left\langle {\mathbf {w}},{\mathbf {c}}\right\rangle }] \approx 2^{25.9}\). Then, running LLL 180 times (each run taking about 500 s on average), we produced short vectors such that \( E [{\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle }] = 2^{26.6}\) and standard deviation \(2^{26.9}\) for \(\left\langle {\mathbf {w} _{i}},{\mathbf {c}}\right\rangle \).
All our experiments match our prediction bounding the growth of the norms of our vectors by a factor of two. Note, however, that in the fourth experiment 1 in 128 vectors found with LLL was a duplicate of previously discovered vector, indicating that rerandomisation is not perfect. While the effect of this loss on the running time of the overall algorithm is small, it highlights that further research is required on the interplay of rerandomisation and lattice reduction.
Applying Algorithm 3 to parameter choices from HElib and SEAL, we arrive at the estimates in Table 1. These estimates were produced using the Sage [S+15] code available at http://bitbucket.org/malb/lweestimator which optimises the parameters \(c, \ell , k, \beta \) to minimise the overall cost.
For the HElib parameters in Table 1 we chose the sparse strategy. Here, amortising costs as in Sect. 3 did not lead to a significant improvement, which is why we did not use it in these cases. All considered lattices have dimension \(<2\,n\). Hence, one RingLWE sample is sufficient to mount these attacks. Note that this is less than the dual attack as described in [GHS12a] would require (two samples).
For the SEAL parameter choices in Table 1, dimension \(n=1024\) requires two RingLWE samples, larger dimensions only require one sample. Here, amortising costs as in Algorithm 1 does lead to a modest improvement and is hence enabled.
Finally, we note that reducing \(q\) to \(\approx 2^{34}\) resp. \(\approx 2^{560}\) leads to an estimated cost of 80 bits for \(n=1024\) resp. \(n=16384\) for \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{64}^{} \). For \({\mathbf {s} }\leftarrow _{\$}\mathcal {B}_{}^{} \), \(q \approx 2^{{40}}\) resp. \(q \approx 2^{660}\) leads to an estimated cost of 80 bits under the techniques described here. In both cases, we assume \(\sigma \approx 3.2\).
Footnotes
 1.
cf. KeyGenerator::set_poly_coeffs_zero_one_negone() at https://sealcrypto.codeplex.com/SourceControl/latest#SEAL/keygenerator.h.
 2.
 3.
The number of operations on integers of size \(\log q\) depends on \(q\) and is not constant. However, constant scaling provides a reasonable approximation for the number of operations for the parameter ranges we are interested in here.
 4.
Note that the most recent version of SEAL now recommends more conservative parameters [LCP16], partly in reaction to this work.
 5.
 6.
The strategy seems folklore, we were unable to find a canonical reference for it.
 7.
All experiments on “strombenzin” with Intel(R) Xeon(R) CPU E52667 v2 @ 3.30 GHz.
 8.
We ran 49 BKZ tours until fplll’s auto abort triggered. After 16 tours the norm of the then shortest vector was by a factor 1.266 larger than the norm of the shortest vector found after 49 tours.
Notes
Acknowledgements
We thank Kenny Paterson and Adeline RouxLanglois for helpful comments on an earlier draft of this work. We thank Hao Chen for reporting an error in an earlier version of this work.
Supplementary material
References
 [ABD16]Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). doi: 10.1007/9783662530184_6 CrossRefGoogle Scholar
 [ACF+15]Albrecht, M.R., Cid, C., Faugère, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Des. Codes Crypt. 74, 325–354 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
 [ACFP14]Albrecht, M.R., Cid, C., Faugère, J.C., Perret, L.: Algebraic algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018 (2014). http://eprint.iacr.org/2014/1018
 [ACPS09]Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circularsecure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_35 CrossRefGoogle Scholar
 [ADPS15]Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Postquantum key exchange  a new hope. Cryptology ePrint Archive, Report 2015/1092 (2015). http://eprint.iacr.org/2015/1092
 [ADPS16]Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Postquantum key exchange  a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security, vol. 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)Google Scholar
 [AFFP14]Albrecht, M.R., Faugère, J.C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the bkw algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). doi: 10.1007/9783642546310_25 CrossRefGoogle Scholar
 [AFG14]Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the efficacy of solving LWE by reduction to uniqueSVP. In: Lee, H.S., Han, D.G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Cham (2014). doi: 10.1007/9783319121604_18 Google Scholar
 [AG11]Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). doi: 10.1007/9783642220067_34 CrossRefGoogle Scholar
 [Ajt96]Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996Google Scholar
 [APS15]Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of Learning with Errors. J. Math. Cryptology 9(3), 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
 [BCD+16]Bos, J.W., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: take off the ring! practical, quantumsecure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1006–1018. ACM Press, October 2016Google Scholar
 [BCNS15]Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Postquantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, May 2015Google Scholar
 [BDGL16]Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACMSIAM, January 2016Google Scholar
 [BG14]Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). doi: 10.1007/9783319083445_21 Google Scholar
 [BGPW16]Buchmann, J., Göpfert, F., Player, R., Wunderer, T.: On the hardness of LWE with binary error: revisiting the hybrid latticereduction and meetinthemiddle attack. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 24–43. Springer, Cham (2016). doi: 10.1007/9783319315171_2 CrossRefGoogle Scholar
 [BGV12]Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.), ITCS 2012, pp. 309–325. ACM, January 2012Google Scholar
 [BKW00]Blum, A., Kalai, A., Wasserman, H.: Noisetolerant learning, the parity problem, and the statistical query model. In: 32nd ACM STOC, pp. 435–440. ACM Press, May 2000Google Scholar
 [BLLN13]Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ringbased fully homomorphic encryption scheme. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 45–64. Springer, Heidelberg (2013). doi: 10.1007/9783642452390_4 CrossRefGoogle Scholar
 [BLP+13]Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press, June 2013Google Scholar
 [Bra12]Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: In SafaviNaini and Canetti [SNC12], pp. 868–886Google Scholar
 [BV11]Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press, October 2011Google Scholar
 [Che13]Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. PhD thesis, Paris 7 (2013)Google Scholar
 [CKH+16]Cheon, J.H., Han, K., Kim, J., Lee, C., Son, Y.: A practical postquantum publickey cryptosystem based on spLWE. In: Hong, S., Park, J.H. (eds.) ICISC 2016. LNCS, vol. 10157, pp. 51–74. Springer, Cham (2017). doi: 10.1007/9783319531779_3 CrossRefGoogle Scholar
 [CS15]Cheon, J.H., Stehlé, D.: Fully homomophic encryption over the integers revisited. In: Oswald and Fischlin [OF15], pp. 513–536Google Scholar
 [CN11]Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). doi: 10.1007/9783642253850_1 CrossRefGoogle Scholar
 [CN12]Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates (full version) (2012). http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf
 [CS16]Costache, A., Smart, N.P.: Which ring based somewhat homomorphic encryption scheme is best? In: Sako, K. (ed.) CTRSA 2016. LNCS, vol. 9610, pp. 325–340. Springer, Cham (2016). doi: 10.1007/9783319294858_19 CrossRefGoogle Scholar
 [DXL12]Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012). http://eprint.iacr.org/2012/688
 [DTV15]Duc, A., Tramèr, F., Vaudenay, S.: Better algorithms for LWE and LWR. In: Oswald and Fischlin [OF15], pp. 173–202Google Scholar
 [FPL16]The FPLLL development team. FPLLL 5.0, a lattice reduction library (2016). https://github.com/fplll/fplll
 [FV12]Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012). http://eprint.iacr.org/2012/144
 [GHS12a]Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES Circuit. In: SafaviNaini and Canetti [SNC12], pages 850–867Google Scholar
 [GHS12b]Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. Cryptology ePrint Archive, Report 2012/099 (2012). http://eprint.iacr.org/2012/099
 [GJS15]Guo, Q., Johansson, T., Stankovski, P.: CodedBKW: solving LWE using lattice codes. In: Gennaro and Robshaw [GR15], pp. 23–42Google Scholar
 [GR15]Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015. LNCS, vol. 9215. Springer, Heidelberg (2015)zbMATHGoogle Scholar
 [GSW13]Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptuallysimpler, asymptoticallyfaster, attributebased. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). doi: 10.1007/9783642400414_5 CrossRefGoogle Scholar
 [HG07]HowgraveGraham, N.: A hybrid latticereduction and meetinthemiddle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). doi: 10.1007/9783540741435_9 CrossRefGoogle Scholar
 [HPS11]Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). doi: 10.1007/9783642227929_25 CrossRefGoogle Scholar
 [HS14]Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). doi: 10.1007/9783662443712_31 CrossRefGoogle Scholar
 [KF15]Kirchner, P., Fouque, P.A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_3 CrossRefGoogle Scholar
 [KF16]Kirchner, P., Fouque, P.A.: Comparison between subfield and straightforward attacks on NTRU. IACR Cryptology ePrint Archive, 2016: 717 (2016)Google Scholar
 [KL15]Kim, M., Lauter, K.: Private genome analysis through homomorphic encryption. BMC Med. Inform. Decis. Mak. 15(5), 1–12 (2015)Google Scholar
 [Laa15]Laarhoven, T.: Sieving for shortest vectors in lattices using angular localitysensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_1 CrossRefGoogle Scholar
 [LCP16]Laine, K., Chen, H., Player, R.: Simple Encrypted Arithmetic Library  SEAL (v2.1). Technical report, Microsoft Research, MSRTR201668, September 2016Google Scholar
 [LN13]Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CTRSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). doi: 10.1007/9783642360954_19 CrossRefGoogle Scholar
 [LN14]Lepoint, T., Naehrig, M.: A comparison of the homomorphic encryption schemes FV and YASHE. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 318–335. Springer, Cham (2014). doi: 10.1007/9783319067346_20 CrossRefGoogle Scholar
 [LP11]Lindner, R., Peikert, C.: Better key sizes (and attacks) for lwebased encryption. In: Kiayias, A. (ed.) CTRSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). doi: 10.1007/9783642190742_21 CrossRefGoogle Scholar
 [LP16]Laine, K., Player, R.: Simple Encrypted Arithmetic Library  SEAL (v2.0). Technical report, Microsoft Research, MSRTR201652, September 2016Google Scholar
 [LPR10]Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). doi: 10.1007/9783642131905_1 CrossRefGoogle Scholar
 [LPR13]Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ringLWE cryptography. Cryptology ePrint Archive, Report 2013/293 (2013). http://eprint.iacr.org/2013/293
 [LTV12]LópezAlt, A., Tromer, E., Vaikuntanathan, V.: Onthefly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T. (eds.) 44th ACM STOC, pp. 1219–1234. ACM Press, May 2012Google Scholar
 [MR09]Micciancio, D., Regev, O.: Latticebased cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) PostQuantum Cryptography, Heidelberg, New York, pp. 147–191 (2009)Google Scholar
 [OF15]Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015)zbMATHGoogle Scholar
 [Pei09]Peikert, C.: Some recent progress in latticebased cryptography. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 72–72. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_5 CrossRefGoogle Scholar
 [Reg05]Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005Google Scholar
 [Reg09]Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 [S+15]Stein, W., et al.: Sage Mathematics Software Version 7.1. The Sage Development Team (2015). http://www.sagemath.org
 [Sch03]Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). doi: 10.1007/3540364943_14 CrossRefGoogle Scholar
 [Sho01]Shoup, V.: NTL: A library for doing number theory (2001). http://www.shoup.net/ntl/
 [SL12]Sarma, J., Lunawat, P.: IITMCS6840: Advanced Complexity Theory – Lecture 11: Amplification Lemma (2012). http://www.cse.iitm.ac.in/~jayalal/teaching/CS6840/2012/lecture11.pdf
 [SNC12]SafaviNaini, R., Canetti, R. (eds.): CRYPTO 2012. LNCS, vol. 7417. Springer, Heidelberg (2012)zbMATHGoogle Scholar
 [Wal15]Walter, M.: Lattice point enumeration on block reduced bases. In: Lehmann, A., Wolf, S. (eds.) ICITS 2015. LNCS, vol. 9063, pp. 269–282. Springer, Cham (2015). doi: 10.1007/9783319174709_16 Google Scholar
 [Wun16]Wunderer, T.: Revisiting the hybrid attack: Improved analysis and refined security estimates. Cryptology ePrint Archive, Report 2016/733 (2016). http://eprint.iacr.org/2016/733