Advertisement

Dissection-BKW

  • Andre Esser
  • Felix Heuer
  • Robert Kübler
  • Alexander May
  • Christian Sohler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10992)

Abstract

The slightly subexponential algorithm of Blum, Kalai and Wasserman (BKW) provides a basis for assessing LPN/LWE security. However, its huge memory consumption strongly limits its practical applicability, thereby preventing precise security estimates for cryptographic LPN/LWE instantiations.

We provide the first time-memory trade-offs for the BKW algorithm. For instance, we show how to solve LPN in dimension k in time \(2^{\frac{4}{3} \frac{k}{\log k} }\) and memory \(2^{\frac{2}{3} \frac{k}{\log k} }\). Using the Dissection technique due to Dinur et al. (Crypto ’12) and a novel, slight generalization thereof, we obtain fine-grained trade-offs for any available (subexponential) memory while the running time remains subexponential.

Reducing the memory consumption of BKW below its running time also allows us to propose a first quantum version QBKW for the BKW algorithm.

Notes

Acknowledgements

We would like to thank Eamonn Postlethwaite for his detailed feedback and helpful suggestions on an earlier version of this paper. We are grateful to the anonymous CRYPTO reviewers for their valuable comments.

Andre Esser was supported by DFG Research Training Group GRK 1817. Felix Heuer, Alexander May and Christian Sohler were supported by Mercator Research Center Ruhr, project “LPN-Krypt”.

References

  1. 1.
  2. 2.
    Alekhnovich, M.: More on average case vs approximation complexity. In: 44th FOCS, pp. 298–307. IEEE Computer Society Press, October 2003Google Scholar
  3. 3.
    Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. LMS J. Comput. Math. 19(A), 146–162 (2016)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Blum, A., Furst, M.L., Kearns, M.J., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_24CrossRefGoogle Scholar
  5. 5.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: 32nd ACM STOC, pp. 435–440. ACM Press, May 2000Google Scholar
  6. 6.
    Bogos, S., Tramèr, F., Vaudenay, S.: On solving LPN using BKW and variants - implementation and analysis. Crypt. Commun. 8(3), 331–369 (2016).  https://doi.org/10.1007/s12095-015-0149-2MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Bogos, S., Vaudenay, S.: Optimization of \(\sf LPN\) solving algorithms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 703–728. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_26CrossRefGoogle Scholar
  8. 8.
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. arXiv preprint quant-ph/9605034 (1996)Google Scholar
  9. 9.
    Devadas, S., Ren, L., Xiao, H.: On iterative collision search for LPN and subset sum. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part II. LNCS, vol. 10678, pp. 729–746. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70503-3_24CrossRefGoogle Scholar
  10. 10.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_42CrossRefGoogle Scholar
  11. 11.
    Dohotaru, C., Hoyer, P.: Exact quantum lower bound for grover’s problem. arXiv preprint arXiv:0810.3647 (2008)
  12. 12.
    Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_5CrossRefGoogle Scholar
  13. 13.
    Esser, A., Heuer, F., Kübler, R., May, A., Sohler, C.: Dissection-BKW. Cryptology ePrint Archive, Report 2018/569 (2018). https://eprint.iacr.org/2018/569
  14. 14.
    Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_17CrossRefGoogle Scholar
  15. 15.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th ACM STOC, pp. 212–219. ACM Press, May 1996Google Scholar
  16. 16.
    Guo, Q., Johansson, T., Löndahl, C.: Solving LPN using covering codes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 1–20. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_1CrossRefGoogle Scholar
  17. 17.
    Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_2CrossRefGoogle Scholar
  18. 18.
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017, Part I. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_2CrossRefGoogle Scholar
  19. 19.
    Herold, G., Kirshanova, E., Laarhoven, T.: Speed-Ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76578-5_14CrossRefGoogle Scholar
  20. 20.
    Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_12CrossRefGoogle Scholar
  21. 21.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC, pp. 193–206. ACM Press, April 1983Google Scholar
  22. 22.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_1CrossRefzbMATHGoogle Scholar
  23. 23.
    Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 292–311. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_14CrossRefGoogle Scholar
  24. 24.
    Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K.E., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22174-8_6CrossRefGoogle Scholar
  25. 25.
    Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006).  https://doi.org/10.1007/11832072_24CrossRefGoogle Scholar
  26. 26.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_3CrossRefGoogle Scholar
  27. 27.
    Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, New York (2005)CrossRefGoogle Scholar
  28. 28.
    Regev, O.: New lattice based cryptographic constructions. In: 35th ACM STOC, pp. 407–416. ACM Press, June 2003Google Scholar
  29. 29.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009).  https://doi.org/10.1145/1568318.1568324MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Schroeppel, R., Shamir, A.: A T=O(2\({}^{\text{ n/2 }}\)), S=O(2\({}^{\text{ n/4 }}\)) algorithm for certain np-complete problems. SIAM J. Comput. 10(3), 456–464 (1981).  https://doi.org/10.1137/0210033MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Wagner, D.: A Generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_19CrossRefGoogle Scholar
  32. 32.
    Zhang, B., Jiao, L., Wang, M.: Faster algorithms for solving LPN. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 168–195. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_7CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Andre Esser
    • 1
  • Felix Heuer
    • 1
  • Robert Kübler
    • 1
  • Alexander May
    • 1
  • Christian Sohler
    • 2
  1. 1.Horst Görtz Institute for IT SecurityRuhr University BochumBochumGermany
  2. 2.Department of Computer ScienceTU DortmundDortmundGermany

Personalised recommendations