Abstract
Binary error LWE is the particular case of the learning with errors (LWE) problem in which errors are chosen in \(\{0,1\}\). It has various cryptographic applications, and in particular, has been used to construct efficient encryption schemes for use in constrained devices. Arora and Ge showed that the problem can be solved in polynomial time given a number of samples quadratic in the dimension n. On the other hand, the problem is known to be as hard as standard LWE given only slightly more than n samples.
In this paper, we first examine more generally how the hardness of the problem varies with the number of available samples. Under standard heuristics on the Arora–Ge polynomial system, we show that, for any \(\epsilon >0\), binary error LWE can be solved in polynomial time \(n^{O(1/\epsilon )}\) given \(\epsilon \cdot n^{2}\) samples. Similarly, it can be solved in subexponential time \(2^{\tilde{O}(n^{1-\alpha })}\) given \(n^{1+\alpha }\) samples, for \(0<\alpha <1\).
As a second contribution, we also generalize the binary error LWE to problem the case of a non-uniform error probability, and analyze the hardness of the non-uniform binary error LWE with respect to the error rate and the number of available samples. We show that, for any error rate \(0< p < 1\), non-uniform binary error LWE is also as hard as worst-case lattice problems provided that the number of samples is suitably restricted. This is a generalization of Micciancio and Peikert’s hardness proof for uniform binary error LWE. Furthermore, we also discuss attacks on the problem when the number of available samples is linear but significantly larger than n, and show that for sufficiently low error rates, subexponential or even polynomial time attacks are possible.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More precisely, it is known that among of systems of m equations of prescribed degrees in n unknowns, non-semi-regular systems form a Zariski closed subset. It is believed that this subset has relatively large codimension, so that only a negligible fractions of possible systems fail to be semi-regular. This is related to a conjecture of Fröberg [9]. See e.g. [1, Sect. 1] for an extended discussion.
References
Albrecht, M.R., Cid, C., Faugère, J., Fitzpatrick, R., Perret, L.: Algebraic algorithms for LWE problems. ACM Commun. Comput. Algebra 49(2), 62 (2015)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34
Bardet, M., Faugere, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the index of regularity of quadratic semi-regular polynomial systems. In: Gianni, P. (ed.) The Effective Methods in Algebraic Geometry Conference (MEGA 2005), pp. 1–14. Citeseer (2005)
Buchmann, J., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T.: High-performance and lightweight lattice-based public-key encryption. In: Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security, pp. 2–9. ACM (2016)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Döttling, N., Müller-Quade, J.: Lossy codes and a new variant of the learning-with-errors problem. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 18–34. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_2
Faugere, J.C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999)
Fröberg, R.: An inequality for Hilbert series of graded algebras. Math. Scand. 56, 117–144 (1985)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Micciancio, D.: Duality in lattice cryptography. In: Public Key Cryptography. p. 2 (2010)
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_26
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2
Regev, O.: The learning with errors problem. Invited Surv. CCC 7 (2010)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Sun, C., Tibouchi, M., Abe, M. (2020). Revisiting the Hardness of Binary Error LWE. In: Liu, J., Cui, H. (eds) Information Security and Privacy. ACISP 2020. Lecture Notes in Computer Science(), vol 12248. Springer, Cham. https://doi.org/10.1007/978-3-030-55304-3_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-55304-3_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55303-6
Online ISBN: 978-3-030-55304-3
eBook Packages: Computer ScienceComputer Science (R0)