Algebraic algorithms for LWE problems

Albrecht, M.; Cid, Carlos; Faugère, Jean-Charles; Fitzpatrick, Robert; Perret, Ludovic

doi:10.1145/2815111.2815158

Cited by 32 publications

(29 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The attack strategy of Ding [47], Arora-Ge [8], and Albrecht-Cid-Faugère-Fitzpatrick-Perret [4] takes subexponential time to break dimension-n LWE with noise width o( √ n), and polynomial time to break LWE with constant noise width. However, these attacks require many LWE samples, whereas typical cryptosystems such as NTRU and NTRU Prime provide far less data to the attacker.…”

Section: Algebraic Attacksmentioning

confidence: 99%

“…Obviously these sizes are not competitive with 256-bit ECC key sizes, but they are small enough for many applications. 4 Streamlined NTRU Prime provides several implementation advantages and security-auditing advantages beyond the NTRU Prime choice of ring: for example, it eliminates the annoying possibility of "decryption failures" that appear in most lattice-based cryptosystems. Our security analysis indicates that Streamlined NTRU Prime 4591 761 actually provides a large security margin beyond our target security level, compensating for potential progress in estimating the actual cost of lattice attacks.…”

Section: Introductionmentioning

confidence: 99%

“…More precisely, [5] is an example of Product NTRU NTT, using the ring (Z/q)[x]/(x p + 1) with p = 1024 and q = 12289 = 12 · 1024 + 1. 4 For example, our ciphertexts fit into the 1500-byte Ethernet MTU for plaintexts up to a few hundred bytes, avoiding the implementation hassle of packet fragmentation. 5 If an operation takes 100000 cycles then one can imagine a typical quad-core 3GHz CPU completing 1 million operations in just 8 seconds.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Lecture Notes in Computer Science

124

View full text Add to dashboard Cite

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

show abstract

Section: Algebraic Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Lecture Notes in Computer Science

124

View full text Add to dashboard Cite

show abstract

“…The first type is the Arora-Ge algorithm, which was introduced in [6], and then improved in [7]. This type of algorithm is mostly applicable when the noise is too small for Regev's reduction proof to apply [2].…”

Section: Introductionmentioning

confidence: 99%

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors

Mårtensson

2019

2019 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

The Learning with Errors problem (LWE) is one of the main candidates for post-quantum cryptography. At Asiacrypt 2017, coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm (BKW) with lattice sieving techniques, was proposed. In this paper, we improve that algorithm by using different reduction factors in different steps of the sieving part of the algorithm. In the Regev setting, where q = n 2 and σ = n 1.5 /( √ 2π log 2 2 n), the asymptotic complexity is 2 0.8917n , improving the previously best complexity of 2 0.8927n . When a quantum computer is assumed or the number of samples is limited, we get a similar level of improvement.

show abstract

“…Arora and Ge describe a 2Õ (αq) 2 -time algorithm when q > n to solve the LWE problem [9]. This leads to a subexponential time algorithm when the error magnitude αq is less than √ n. The idea is to transform this system into a noise-free polynomial system and then use root finding algorithms for multivariate polynomials to solve it, using either relinearization in [9] or Gröbner basis in [3]. In this last work, Albrecht et al present an algorithm whose time complexity is 2 (ω+o(1))n log log log n 8 log log n Definition 3.…”

mentioning

confidence: 99%

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Kirchner

Fouque

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving within half a day a LWE instance with dimension n = 128, modulus q = n 2 , Gaussian noise α = 1/( n/π log 2 n) and binary secret, using 2 28 samples, while the previous best result based on BKW claims a time complexity of 2 74 with 2 60 samples for the same parameters. We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential time 2(ln 2/2+o(1))n/ log log n . This analysis does not require any heuristic assumption, contrary to other algebraic approaches; instead, it uses a variant of an idea by Lyubashevsky to generate many samples from a small number of samples. This makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption). We are also able to solve subset sum problems in subexponential time for density o(1), which is of independent interest: for such density, the previous best algorithm requires exponential time. As a direct application, we can solve in subexponential time the parameters of a cryptosystem based on this problem proposed at TCC 2010.

show abstract

Algebraic algorithms for LWE problems

Cited by 32 publications

References 27 publications

NTRU Prime: Reducing Attack Surface at Low Cost

NTRU Prime: Reducing Attack Surface at Low Cost

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Contact Info

Product

Resources

About